[SOLVED] Samba server, Domain trusts

[Rob_B]

Background: I'm the IT guy at the Houston, TX branch of an international company with offices in four countries. Our network is Window$ server 2003 AD, with independent domains for each location, with trusts between each. I'd rather see a domain forest with each office being a member, but that's another rant.

I built a linux box to be a file server here in my office. It's running CentOS 5.1, with Samba configured to be a domain member. I'll post contents of the config files at the end, but basically, members of my local domain can access the samba share, but members of the trusted domains cannot. I'm pulling my hair out here.

/etc/samba/smb.conf:

workgroup = 2hushou1
password server = 2hus037
realm = 2HUSHOU1
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = false
allow trusted domains = Yes
winbind separator = +
passdb backend = tdbsam
cups options = raw
server string =
encrypt passwords = yes

[printers]
comment = All Printers
path = /var/spool/samba
printable = yes

[V]
comment = V: Drive
path = /V
read only = yes
; browseable = yes
; guest ok = yes
admin users = "+2HUSHOU1+administrators"
valid users = "+2HUSHOU1+administrators", "+2HUSHOU1+access to v (r)", "+2HUKWOK2.local+access to v (r)", "+2HMYKUA1.local+access to v (r)", "+2HBRRIO1.local+access to v (r)", 2hukwok2+domainadmin
write list = "+2HUSHOU1+document control team", "+2HUSHOU1+administrators"



/etc/krb5.conf:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = 2HUSHOU1
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}

2HUSHOU1 = {
kdc = 192.168.1.22
admin_server = 2hus037.2HUSHOU1
kdc = 192.168.1.22
}

2HUKWOK2 = {
kdc = 192.168.0.34
admin_server = 2h115.2hukwok2.local
default_domain = 2hukwok2.local
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

2hushou1 = 2HUSHOU1
.2hushou1 = 2HUSHOU1

2hukwok2.local = 2HUKWOK2.local
.2hukwok2.local = 2HUKWOK2.local

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}


"net ads testjoin" returns Join is OK, and "wbinfo -a" successfully authenticates members of the 2HUKWOK2.local trusted domain. However, "wbinfo -r" returns an error for members of the trusted domains, and I suspect this is why they can't access the share, but I may be wrong.

[root@twohus153 ~]# net rpc trustdom list -U2HUSHOU1+adminuser%adminpass
Trusted domains list:

2HUKWOK2 S-1-5-21-1483448500-3058526776-1278923618
2HBRRIO1 S-1-5-21-3648243851-1836489355-1408670573
2HMYKUA1 S-1-5-21-258026591-1181637403-2273559695

Trusting domains list:

Unable to find a suitable server
domain controller is not responding
Unable to find a suitable server
domain controller is not responding
Unable to find a suitable server
domain controller is not responding
2HUKWOK2 2HBRRIO1 2HMYKUA1

The above could also be the source of my problem. I'm out of ideas. Any gurus out there that can tell me what I'm doing wrong?

[HROAdmin26]

In order to authenticate in the environment you have set up, your Samba server has to bounce user credentials for other users off a domain controller (DC) for the other domains.

2HUKWOK2 S-1-5-21-1483448500-3058526776-1278923618
2HBRRIO1 S-1-5-21-3648243851-1836489355-1408670573
2HMYKUA1 S-1-5-21-258026591-1181637403-2273559695

Your list of trusted domains is just that - 3 domain names. Now Samba has to use that domain name to find a DC for each domain. AD does this via DNS and SRV records. I would start by looking at which DNS server the Samba box is using. Does that DNS server have SRV records that define roles in these other domains? Or does that DNS server redirect correctly to other DNS servers for DNS namespace outside its control?

(You *might* be able to cheat and do something like put the domain name [2HBRRIO] into the Samba server's /etc/hosts file and point it to an IP of a DC for that domain - you might also try the FQDN for the domain. I've done things like that in small/test environments in the past.)

The message you're getting about the trusted domains says clearly that it can't find a "suitable server" (DC) and then "DC is not responding."

** Edit: Not that I *know* it's an issue, but you may also want to try using REALM = FQDN (domain.sub.sub.root.xyz) because you are using security = ads vs. the older security = domain.

I cannot stress this enough: name resolution, name resolution, and then check...name resolution. Since you're using AD, you have to consider SRV records along with the normal A and PTR records.

Another tip: If you want to know which DC your Samba machine is talking to - look at netstat and grep for port 445 on the remote machine:

Code:

netstat -anp | grep 445
tcp        0      0 10.XX.XX.XX:42410           192.XX.XX.200:445             ESTABLISHED 1874/winbindd

[Rob_B]

Thanks, I'll look into the above and report back. Also, at my office, 2HUSHOU1 is fqdn. I don't like it, but it was that way when I got here.

Edit: SRV records. None currently exist. I'll start making them. Samba is looking for Kerberos, not LDAP, right?

[HROAdmin26]

Thanks, I'll look into the above and report back. Also, at my office, 2HUSHOU1 is fqdn. I don't like it, but it was that way when I got here.

So your machine name FQDN's are something like machineA.2hushou1 ?

[Rob_B]

So your machine name FQDN's are something like machineA.2hushou1 ?

Yes. That has also been a constant source of despair. I'm planning a weekend to change that, as I've got to change my local IP ranges to fit some organizational scheme the UK guys have come up with.

[Rob_B]

Edit: SRV records. None currently exist. I'll start making them. Samba is looking for Kerberos, not LDAP, right?

Brainfart. They're there, right where they're supposed to be. You'll have to excuse me, I'm a decaffeinated administrator at the moment. That necessitates a certain margin of error.

[Rob_B]

Another tip: If you want to know which DC your Samba machine is talking to - look at netstat and grep for port 445 on the remote machine:

Code:

netstat -anp | grep 445
tcp        0      0 10.XX.XX.XX:42410           192.XX.XX.200:445             ESTABLISHED 1874/winbindd

[/I]

> [root@twohus153 ~]# netstat -anp | grep 445
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2617/smbd
tcp 0 0 192.168.1.27:445 192.168.1.73:1362 ESTABLISHED 2962/smbd
tcp 0 0 192.168.1.27:445 192.168.1.239:1723 ESTABLISHED 3373/smbd
tcp 0 0 192.168.1.27:445 192.168.1.233:1397 ESTABLISHED 3142/smbd
tcp 0 0 192.168.1.27:445 192.168.1.155:2578 ESTABLISHED 3118/smbd
tcp 0 0 192.168.1.27:445 192.168.1.67:3757 ESTABLISHED 3016/smbd
tcp 0 0 192.168.1.27:37341 192.168.1.22:445 ESTABLISHED 2631/winbindd
tcp 0 0 192.168.1.27:58828 192.168.1.22:445 ESTABLISHED 2640/winbindd
tcp 0 0 192.168.1.27:49710 192.168.4.5:445 TIME_WAIT - <<< UK DC / DNS server 2HUKWOK2.local
tcp 0 0 192.168.1.27:49692 192.168.4.5:445 TIME_WAIT -
tcp 0 0 192.168.1.27:49694 192.168.4.5:445 TIME_WAIT -
tcp 0 0 192.168.1.27:56741 192.168.2.1:445 TIME_WAIT - <<< Unknown IP???
tcp 0 0 192.168.1.27:56727 192.168.2.1:445 TIME_WAIT -
tcp 0 0 192.168.1.27:53100 192.168.1.22:445 TIME_WAIT - <<< Local DC / DNS Server
tcp 0 0 192.168.1.27:53064 192.168.1.22:445 TIME_WAIT -

[Rob_B]

(You *might* be able to cheat and do something like put the domain name [2HBRRIO] into the Samba server's /etc/hosts file and point it to an IP of a DC for that domain - you might also try the FQDN for the domain. I've done things like that in small/test environments in the past.)

Tried this, and it doesn't help. DNS seems to be functioning properly. An attempt to connect to the share by a UK user yields a connection on port 445 to a UK DC, a la

tcp 0 0 192.168.1.27:40149 192.168.4.5:445 ESTABLISHED 5250/winbindd

But only momentarily.

/var/log/samba/wb-2HUKWOK2.log is full of this:

[2009/03/30 14:49:10, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(152)
error getting user info for sid S-1-5-21-1483448500-3058526776-1278923618-1147

However, I can do this:

[root@twohus153 samba]# wbinfo --krb5auth=2HUKWOK2.local+adminuser%adminpass
plaintext kerberos password authentication for [2HUKWOK2.local+adminuser%adminpass] succeeded (requesting cctype: FILE)
no credentials cached

So that means I'm talking to the DC, right? Where, then, is the breakdown?

[Rob_B]

Problem solved. I'll post the fix for the benefit of anyone else who may ever have this issue.

Centos 5 ships with Samba 3.0.28. Copying and pasting a line from the winbind log into the Google yielded this page:
[Samba] winbind between trusted domains really acting up under 3.0.28a
Apparently Googling variations of "samba AD domain trust problem" wasn't specific enough.

It seems Samba 3.0.28 broke the ability to use samba shares across AD domain trusts. I upgraded to Samba 3.3.2, and it works now.

Cheers,
Rob