samba-users May 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: [Samba] Why do Interdomain trusts try to use kerber

[Samba] Why do Interdomain trusts try to use kerberos - updated

From: Gaiseric Vandal <gaiseric.vandal_at_nospam>
Date: Sun May 02 2010 - 17:43:24 GMT
To: <samba@lists.samba.org>

On my test Samba PDC, I updated the krb5.conf file to add realm info for the
Windows 2008. This seems to have resolved my "wbinfo" issue. "getent
passwd" is still not working (I did update nsswitch.conf) but I suspect this
is because of an idmap allocation issue. The syntax for idmap allocation
in smb.conf seems to change between 3.0, 3.2, 3.3 and 3.4.

I have also tried setting up a similar trust between the Windows 2008 and my
production Samba environment. The production samba environment had a 3.0.x
PDC (DC1) and BDC and a 3.4.x BDC. 3.0.x seems to be incompatible with Win
2008 so I promoted the 3.4.x BDC to PDC. However, the Windows PDC cannot
validate the trust

The verification of the incoming trust failed with the following error(s):
The target system DC1 does not support NetLogon trust password
verification.
A secure channel reset will be attempted.
The secure channel reset failed with error 1355: The specified domain either
does not exist or could not be contacted.

I suspect I need to reboot the Windows 2008 PDC to make it locate the new
samba PDC.

So why am I still using Samba 3.0.x? Because I am running Solaris and Sun
(now Oracle) seems to have lost interest in anything besides being a server
platform for oracle and has provided a production build of Samba 3.4.

-----Original Message-----
From: Gaiseric Vandal [mailto:gaiseric.vandal@gmail.com]
Sent: Friday, April 30, 2010 5:16 PM
To: Samba
Subject: Why do Interdomain trusts try to use kerberos

I have setup a test PDC with samba 3.4.7 on a fedora core 12 linux
machine. I have setup two way interdomain trusts with a Windows 2008
domain. The domain and forest functional levels are Windows 2003.

Since the samba machine is not emulating an Active Domain Controller,
the Windows 2008 machine should think it is talking to an NT4 server.
And since NT4-based domains don't use kerberos, I would have expected
kerberos should not be a factor.

On the Windows 2008 PDC I can grant samba users file access.

I setup up the samba domain to trust the windows domain. I started
the process on the windows PDC first.

----------------------------------------------------------------------------
--------------------------------
[samba_pdc]# net rpc trustdom establish win_domain

Enter SMB_DOMAIN$'s password:
Could not connect to server WIN_PDC
Trust to domain WIN_DOMAIN established
[samba_pdc]#

----------------------------------------------------------------------------
--------------------------------

Not sure if the "could not connect" error is a problem- I think I have
seen that even when trusts are OK.

----------------------------------------------------------------------------
--------------------------------
[samba_pdc# net rpc trustdom list -U Administrator -S samba_pdc

Enter Administrator's password:
Trusted domains list:

WIN_DOMAIN S-1-5-21-......................

Trusting domains list:

WIN_DOMAIN S-1-5-21-.....................

none
[samba_pdc
----------------------------------------------------------------------------
--------------------------------

On the samba server, "wbinfo -u" and "wbinfo -g" do not return any
entries from the WIN_DOMAIN. Log files show issues with idmap and kerberos.

# cat log.winbindd-idmap

[2010/04/30 15:36:53, 0] winbindd/idmap_tdb.c:341(idmap_tdb_alloc_init)
   idmap will be unable to map foreign SIDs: NT_STATUS_UNSUCCESSFUL
[2010/04/30 15:36:53, 0] winbindd/idmap.c:589(idmap_alloc_init)
   ERROR: Initialization failed for alloc backend, deferred!
[2010/04/30 15:36:53, 0] winbindd/idmap.c:201(smb_register_idmap_alloc)
   idmap_alloc module ldap already registered!
[2010/04/30 15:36:53, 0] winbindd/idmap.c:201(smb_register_idmap_alloc)
   idmap_alloc module tdb already registered!
[2010/04/30 15:36:53, 0] winbindd/idmap.c:149(smb_register_idmap)
   Idmap module passdb already registered!
[2010/04/30 15:36:53, 0] winbindd/idmap.c:149(smb_register_idmap)
   Idmap module nss already registered!
[2010/04/30 15:36:53, 1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges)
   idmap uid missing
[2010/04/30 15:36:53, 0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db)
   Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete
configuration

...

# cat log.wb-WIN_DOMAIN | more
...

[2010/04/30 16:15:19, 0] libads/kerberos.c:333(ads_kinit_password)
   kerberos_kinit_password RESEARCH@SSCI.COM failed: Cannot find KDC for
requested realm
[2010/04/30 16:15:19, 1]
winbindd/winbindd_ads.c:127(ads_cached_connection)
   ads_connect for domain WIN_DOMAIN failed: Cannot find KDC for
requested realm

----------------------------------------------------------------------------
--------------------------------

Any thoughts? Can I force samba to not try kerberos? Are the two sets
of errors even related? Or can I just add a krb5.conf entry for the
WIN_DOMAIN even if I am not using kerberos otherwise?

Thanks

-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba