samba-users May 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: [Samba] interdomain trusts / wbinfo and listent_rec

[Samba] interdomain trusts / wbinfo and listent_recv: returned no users

From: Gaiseric Vandal <gaiseric.vandal_at_nospam>
Date: Tue May 04 2010 - 20:16:49 GMT
To: samba@lists.samba.org

As per earlier post, I was having problems getting trusts setup between
my Samba domain (3.0.x PDC, 3.4.x BDC on Solaris 10) and two Active
Directory domains (each in a separate forest.) One domain is a test
Win 2003 PDC in native Win 2003 mode, the other is a Win 2008 system
also in native Win 2003 mode.

To summarize some of the progess- things work better if the Samba 3.4
is the PDC, master browser and WINS server.

I now appear to have trusts setup between Samba and the two native
active directory domains.

"wbinfo -u" and "wbinfo -g" list users from the Win 2008 domain but not
from the Win 2003 domain.

winbindd.log shows

     listent_recv: WIN_2003_DOMAIN returned no users

I did not have entries for either active directory domain in
krb5.conf. I have tried adding entries for those domains. (this had
helped with a test samba domain on fedora core.) Doesn't seem to
matter for the solaris PDC.

Any thoughts?

Thanks

On 05/02/2010 01:43 PM, Gaiseric Vandal wrote:
> On my test Samba PDC, I updated the krb5.conf file to add realm info for
> the Windows 2008. This seems to have resolved my "wbinfo" issue. "getent
> passwd" is still not working (I did update nsswitch.conf) but I suspect
> this is because of an idmap allocation issue. The syntax for idmap
> allocation in smb.conf seems to change between 3.0, 3.2, 3.3 and 3.4.
>
>
> I have also tried setting up a similar trust between the Windows 2008 and
> my production Samba environment. The production samba environment had a
> 3.0.x PDC (DC1) and BDC and a 3.4.x BDC. 3.0.x seems to be incompatible
> with Win 2008 so I promoted the 3.4.x BDC to PDC. However, the Windows
> PDC cannot validate the trust
>
> The verification of the incoming trust failed with the following error(s):
> The target system DC1 does not support NetLogon trust password
> verification.
> A secure channel reset will be attempted.
> The secure channel reset failed with error 1355: The specified domain
> either does not exist or could not be contacted.
>
> I suspect I need to reboot the Windows 2008 PDC to make it locate the new
> samba PDC.
>
>
>
> So why am I still using Samba 3.0.x? Because I am running Solaris and
> Sun (now Oracle) seems to have lost interest in anything besides being a
> server platform for oracle and has provided a production build of Samba
> 3.4.
>
>
>
>
>
> -----Original Message-----
> From: Gaiseric Vandal [mailto:gaiseric.vandal@gmail.com]
> Sent: Friday, April 30, 2010 5:16 PM
> To: Samba
> Subject: Why do Interdomain trusts try to use kerberos
>
> I have setup a test PDC with samba 3.4.7 on a fedora core 12 linux
> machine. I have setup two way interdomain trusts with a Windows 2008
> domain. The domain and forest functional levels are Windows 2003.
>
> Since the samba machine is not emulating an Active Domain Controller,
> the Windows 2008 machine should think it is talking to an NT4 server.
> And since NT4-based domains don't use kerberos, I would have expected
> kerberos should not be a factor.
>
> On the Windows 2008 PDC I can grant samba users file access.
>
>
> I setup up the samba domain to trust the windows domain. I started
> the process on the windows PDC first.
>
> --------------------------------------------------------------------------
> ----------------------------------
> [samba_pdc]# net rpc trustdom establish win_domain
>
> Enter SMB_DOMAIN$'s password:
> Could not connect to server WIN_PDC
> Trust to domain WIN_DOMAIN established
> [samba_pdc]#
>
>
> --------------------------------------------------------------------------
> ----------------------------------
>
>
> Not sure if the "could not connect" error is a problem- I think I have
> seen that even when trusts are OK.
>
>
> --------------------------------------------------------------------------
> ----------------------------------
> [samba_pdc# net rpc trustdom list -U Administrator -S samba_pdc
>
> Enter Administrator's password:
> Trusted domains list:
>
> WIN_DOMAIN S-1-5-21-......................
>
> Trusting domains list:
>
> WIN_DOMAIN S-1-5-21-.....................
>
> none
> [samba_pdc
> --------------------------------------------------------------------------
> ----------------------------------
>
> On the samba server, "wbinfo -u" and "wbinfo -g" do not return any
> entries from the WIN_DOMAIN. Log files show issues with idmap and
> kerberos.
>
>
>
>
> # cat log.winbindd-idmap
>
> [2010/04/30 15:36:53, 0] winbindd/idmap_tdb.c:341(idmap_tdb_alloc_init)
> idmap will be unable to map foreign SIDs: NT_STATUS_UNSUCCESSFUL
> [2010/04/30 15:36:53, 0] winbindd/idmap.c:589(idmap_alloc_init)
> ERROR: Initialization failed for alloc backend, deferred!
> [2010/04/30 15:36:53, 0] winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module ldap already registered!
> [2010/04/30 15:36:53, 0] winbindd/idmap.c:201(smb_register_idmap_alloc)
> idmap_alloc module tdb already registered!
> [2010/04/30 15:36:53, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module passdb already registered!
> [2010/04/30 15:36:53, 0] winbindd/idmap.c:149(smb_register_idmap)
> Idmap module nss already registered!
> [2010/04/30 15:36:53, 1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges)
> idmap uid missing
> [2010/04/30 15:36:53, 0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db)
> Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete
> configuration
>
>
> ...
>
>
> # cat log.wb-WIN_DOMAIN | more
> ...
>
>
> [2010/04/30 16:15:19, 0] libads/kerberos.c:333(ads_kinit_password)
> kerberos_kinit_password RESEARCH@SSCI.COM failed: Cannot find KDC for
> requested realm
> [2010/04/30 16:15:19, 1]
> winbindd/winbindd_ads.c:127(ads_cached_connection)
> ads_connect for domain WIN_DOMAIN failed: Cannot find KDC for
> requested realm
>
>
> --------------------------------------------------------------------------
> ----------------------------------
>
>
> Any thoughts? Can I force samba to not try kerberos? Are the two sets
> of errors even related? Or can I just add a krb5.conf entry for the
> WIN_DOMAIN even if I am not using kerberos otherwise?
>
> Thanks
>
>

-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba