Permissions problems with Samba PDC, Samba Domain Member and XP workstation combo.

[lindad]

G'day

I have not been able to figure out why I am getting the following error in the scenario that I have:
"The trust relationship between this workstation and the primary domain failed"

Some of the configs may look a bit too permissive. I was attempting to open it up and then close shares etc. again once I resolved the issue.

In general I have a Samba PDC which uses LDAP and kerberos for authentication. I am using:

smbldap-tools 0.9.5-1
samba 3.0.28
openldap 2.3.27-8
kerberos 1.6.1-25
CentOS 5.2

I have read about problems with samba 3.0.23 in this area but it sounded like that was resolved. Is that still an issue?

I have a Samba PDC with the following smb.conf:

Code:

[global]
        idmap gid = 16777216-33554431
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        time server = yes
        dns proxy = no
        cups options = raw
        netbios name = HMDCSIN
        ldap passwd sync = yes
        idmap uid = 16777216-33554431
        logon script = logon.bat
        local master = yes
        workgroup = HMDCS1
        os level = 65
        debug level = 256
        ldap admin dn = cn=manager,dc=ldapsrv,dc=in,dc=localdomain,dc=local
        printcap name = /etc/printcap
        security = user
        add machine script = /usr/sbin/smbldap-useradd -w "%m"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        log level = 10
        log file = /var/log/samba/%m.log
        load printers = yes
        ldap user suffix = ou=Users
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        logon drive =
        domain master = yes
        encrypt passwords = yes
        winbind use default domain = no
        passdb backend = ldapsam:ldap://ldapsrv.in.localdomain.local/
        passdb backend = ldapsam:ldap://ldapsrv.in.localdomain.local/
        logon home =  \\HMDCSIN\homedir\%U
        template shell = /bin/false
        wins support = true
        ldap delete dn = yes
        ldap group suffix = ou=Groups
        server string = Samba Server Version %v
        ldap machine suffix = ou=Users
        ldap suffix = dc=ldapsrv,dc=in,dc=localdomain,dc=local
        logon path =
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        syslog = 3
        domain logons = yes
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   valid users = %S
   read only = No
   create mask = 0644
   directory mask = 0775
   path = /home/samba/homedir/%U

[studenttmp]
        browseable = yes
        writable = yes
        path = /home/samba/stmp
        guest ok = yes
        comment = Students Temporary file space
        public = yes
        create mode = 777
        directory mode = 777

[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = yes
writable = no
share modes = no

I have a Samba Domain member with the following smb.conf:

Code:

[global]
        netbios name = ldb15.local
        local master = No
        workgroup = HMDCS1
        os level = 33
        security = domain
        max log size = 1000
        log level = 10
        log file = /var/log/samba/%m.log
        wins server = 192.168.240.14
        domain master = No
#       password server = *
#       logon home =
#       server string = Samba Server Version %v
#       logon path =
        syslog = 10
#       preferred master = no

[homes2]
        comment = Home Directories
        path = /home/samba/homedir/%U
        valid users = %S
        read only = No
        create mask = 0644
        directory mask = 0777
        browseable = Yes
        guest ok = Yes

[trial]
        comment = Students Temporary file space
        path = /home/samba/stmp
        read only = No
        guest ok = Yes

I have added a machine account for the domain member to the Samba PDC using smbldap-useradd. It allowed me to perform the join successfully. Although it might have lied.

The XP workstation has successfully joined the HMDCS1 domain and when I log in as an authenticated user, I can see HMDCSIN, the XP workstation and the Samba Domain member, all listed under HMDCS1 Domain. Looks good.

If I click on HMDCSIN, I get shares, if I click on ibm_01 (the XP workstation), I get shares. If I click on the Samba Domain member I get the above error.

I've been looking at the logs on both sides since the weekend. Using wireshark no nasty messages. I just can't see an obvious problem. Do I possibly have some of the settings conflicting between the PDC and the DM? There are likely alot more details I could post but not sure if they are necessary at this time or would just clutter up the posting.

Any suggestions on what the next debugging step I might take is? Docs I might have missed? What 's it thinking right about then?

I have re-joined the workstation a couple of times.

Thanks...
--
ldb

[lindad]

G'day

Okay, I ended up making the following changes to smb.conf on the Domain member:

password server = <hostname>
realm = <realm>

That's pretty much it. Deleted the machine account on the PDC, did a testjoin to make sure it was dead. Changed my hostname (had a conflict) and then rejoined.

Now I can see the Domain Member and go into all but one directory so that's minor. However, now I'm not sure if this is how I need to accomplish my goal.

I have a school setup with Samba PDC/LDAP/Kerberos, Samba Domain member, which will authenticate against the LDAP/Kerberos on the PDC. When a student logs in I want their home directory to be on the Domain member, but if a staff member logs in, I want their home directory to be on the PDC. Any suggestions of the Samba configuration I would need? Or is it just a login script issue I need to look at?

Thanks...
--
ldb