Find the answer to your Linux question:
Results 1 to 9 of 9
Background: I'm the IT guy at the Houston, TX branch of an international company with offices in four countries. Our network is Window$ server 2003 AD, with independent domains for ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2008
    Location
    Spring, TX
    Posts
    14

    [SOLVED] Samba server, Domain trusts


    Background: I'm the IT guy at the Houston, TX branch of an international company with offices in four countries. Our network is Window$ server 2003 AD, with independent domains for each location, with trusts between each. I'd rather see a domain forest with each office being a member, but that's another rant.

    I built a linux box to be a file server here in my office. It's running CentOS 5.1, with Samba configured to be a domain member. I'll post contents of the config files at the end, but basically, members of my local domain can access the samba share, but members of the trusted domains cannot. I'm pulling my hair out here.

    /etc/samba/smb.conf:

    workgroup = 2hushou1
    password server = 2hus037
    realm = 2HUSHOU1
    security = ads
    idmap uid = 16777216-33554431
    idmap gid = 16777216-33554431
    template shell = /bin/bash
    winbind use default domain = false
    winbind offline logon = false
    allow trusted domains = Yes
    winbind separator = +
    passdb backend = tdbsam
    cups options = raw
    server string =
    encrypt passwords = yes

    [printers]
    comment = All Printers
    path = /var/spool/samba
    printable = yes

    [V]
    comment = V: Drive
    path = /V
    read only = yes
    ; browseable = yes
    ; guest ok = yes
    admin users = "+2HUSHOU1+administrators"
    valid users = "+2HUSHOU1+administrators", "+2HUSHOU1+access to v (r)", "+2HUKWOK2.local+access to v (r)", "+2HMYKUA1.local+access to v (r)", "+2HBRRIO1.local+access to v (r)", 2hukwok2+domainadmin
    write list = "+2HUSHOU1+document control team", "+2HUSHOU1+administrators"



    /etc/krb5.conf:

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    default_realm = 2HUSHOU1
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    forwardable = yes

    [realms]
    EXAMPLE.COM = {
    kdc = kerberos.example.com:88
    admin_server = kerberos.example.com:749
    default_domain = example.com
    }

    2HUSHOU1 = {
    kdc = 192.168.1.22
    admin_server = 2hus037.2HUSHOU1
    kdc = 192.168.1.22
    }

    2HUKWOK2 = {
    kdc = 192.168.0.34
    admin_server = 2h115.2hukwok2.local
    default_domain = 2hukwok2.local
    }

    [domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

    2hushou1 = 2HUSHOU1
    .2hushou1 = 2HUSHOU1

    2hukwok2.local = 2HUKWOK2.local
    .2hukwok2.local = 2HUKWOK2.local

    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    }


    "net ads testjoin" returns Join is OK, and "wbinfo -a" successfully authenticates members of the 2HUKWOK2.local trusted domain. However, "wbinfo -r" returns an error for members of the trusted domains, and I suspect this is why they can't access the share, but I may be wrong.

    [root@twohus153 ~]# net rpc trustdom list -U2HUSHOU1+adminuser%adminpass
    Trusted domains list:

    2HUKWOK2 S-1-5-21-1483448500-3058526776-1278923618
    2HBRRIO1 S-1-5-21-3648243851-1836489355-1408670573
    2HMYKUA1 S-1-5-21-258026591-1181637403-2273559695

    Trusting domains list:

    Unable to find a suitable server
    domain controller is not responding
    Unable to find a suitable server
    domain controller is not responding
    Unable to find a suitable server
    domain controller is not responding
    2HUKWOK2 2HBRRIO1 2HMYKUA1

    The above could also be the source of my problem. I'm out of ideas. Any gurus out there that can tell me what I'm doing wrong?

  2. #2
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,760
    In order to authenticate in the environment you have set up, your Samba server has to bounce user credentials for other users off a domain controller (DC) for the other domains.

    2HUKWOK2 S-1-5-21-1483448500-3058526776-1278923618
    2HBRRIO1 S-1-5-21-3648243851-1836489355-1408670573
    2HMYKUA1 S-1-5-21-258026591-1181637403-2273559695
    Your list of trusted domains is just that - 3 domain names. Now Samba has to use that domain name to find a DC for each domain. AD does this via DNS and SRV records. I would start by looking at which DNS server the Samba box is using. Does that DNS server have SRV records that define roles in these other domains? Or does that DNS server redirect correctly to other DNS servers for DNS namespace outside its control?

    (You *might* be able to cheat and do something like put the domain name [2HBRRIO] into the Samba server's /etc/hosts file and point it to an IP of a DC for that domain - you might also try the FQDN for the domain. I've done things like that in small/test environments in the past.)

    The message you're getting about the trusted domains says clearly that it can't find a "suitable server" (DC) and then "DC is not responding."

    ** Edit: Not that I *know* it's an issue, but you may also want to try using REALM = FQDN (domain.sub.sub.root.xyz) because you are using security = ads vs. the older security = domain.

    I cannot stress this enough: name resolution, name resolution, and then check...name resolution. Since you're using AD, you have to consider SRV records along with the normal A and PTR records.

    Another tip: If you want to know which DC your Samba machine is talking to - look at netstat and grep for port 445 on the remote machine:

    Code:
    netstat -anp | grep 445
    tcp        0      0 10.XX.XX.XX:42410           192.XX.XX.200:445             ESTABLISHED 1874/winbindd

  3. #3
    Just Joined!
    Join Date
    Jun 2008
    Location
    Spring, TX
    Posts
    14
    Thanks, I'll look into the above and report back. Also, at my office, 2HUSHOU1 is fqdn. I don't like it, but it was that way when I got here.

    Edit: SRV records. None currently exist. I'll start making them. Samba is looking for Kerberos, not LDAP, right?

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,760
    Quote Originally Posted by Rob_B View Post
    Thanks, I'll look into the above and report back. Also, at my office, 2HUSHOU1 is fqdn. I don't like it, but it was that way when I got here.
    So your machine name FQDN's are something like machineA.2hushou1 ?

  6. #5
    Just Joined!
    Join Date
    Jun 2008
    Location
    Spring, TX
    Posts
    14
    Quote Originally Posted by HROAdmin26 View Post
    So your machine name FQDN's are something like machineA.2hushou1 ?
    Yes. That has also been a constant source of despair. I'm planning a weekend to change that, as I've got to change my local IP ranges to fit some organizational scheme the UK guys have come up with.

  7. #6
    Just Joined!
    Join Date
    Jun 2008
    Location
    Spring, TX
    Posts
    14
    Quote Originally Posted by Rob_B View Post
    Edit: SRV records. None currently exist. I'll start making them. Samba is looking for Kerberos, not LDAP, right?
    Brainfart. They're there, right where they're supposed to be. You'll have to excuse me, I'm a decaffeinated administrator at the moment. That necessitates a certain margin of error.

  8. #7
    Just Joined!
    Join Date
    Jun 2008
    Location
    Spring, TX
    Posts
    14
    Quote Originally Posted by HROAdmin26 View Post
    Another tip: If you want to know which DC your Samba machine is talking to - look at netstat and grep for port 445 on the remote machine:

    Code:
    netstat -anp | grep 445
    tcp        0      0 10.XX.XX.XX:42410           192.XX.XX.200:445             ESTABLISHED 1874/winbindd
    [/I]
    > [root@twohus153 ~]# netstat -anp | grep 445
    tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2617/smbd
    tcp 0 0 192.168.1.27:445 192.168.1.73:1362 ESTABLISHED 2962/smbd
    tcp 0 0 192.168.1.27:445 192.168.1.239:1723 ESTABLISHED 3373/smbd
    tcp 0 0 192.168.1.27:445 192.168.1.233:1397 ESTABLISHED 3142/smbd
    tcp 0 0 192.168.1.27:445 192.168.1.155:2578 ESTABLISHED 3118/smbd
    tcp 0 0 192.168.1.27:445 192.168.1.67:3757 ESTABLISHED 3016/smbd
    tcp 0 0 192.168.1.27:37341 192.168.1.22:445 ESTABLISHED 2631/winbindd
    tcp 0 0 192.168.1.27:58828 192.168.1.22:445 ESTABLISHED 2640/winbindd
    tcp 0 0 192.168.1.27:49710 192.168.4.5:445 TIME_WAIT - <<< UK DC / DNS server 2HUKWOK2.local
    tcp 0 0 192.168.1.27:49692 192.168.4.5:445 TIME_WAIT -
    tcp 0 0 192.168.1.27:49694 192.168.4.5:445 TIME_WAIT -
    tcp 0 0 192.168.1.27:56741 192.168.2.1:445 TIME_WAIT - <<< Unknown IP???
    tcp 0 0 192.168.1.27:56727 192.168.2.1:445 TIME_WAIT -
    tcp 0 0 192.168.1.27:53100 192.168.1.22:445 TIME_WAIT - <<< Local DC / DNS Server
    tcp 0 0 192.168.1.27:53064 192.168.1.22:445 TIME_WAIT -

  9. #8
    Just Joined!
    Join Date
    Jun 2008
    Location
    Spring, TX
    Posts
    14
    Quote Originally Posted by HROAdmin26 View Post
    (You *might* be able to cheat and do something like put the domain name [2HBRRIO] into the Samba server's /etc/hosts file and point it to an IP of a DC for that domain - you might also try the FQDN for the domain. I've done things like that in small/test environments in the past.)
    Tried this, and it doesn't help. DNS seems to be functioning properly. An attempt to connect to the share by a UK user yields a connection on port 445 to a UK DC, a la

    tcp 0 0 192.168.1.27:40149 192.168.4.5:445 ESTABLISHED 5250/winbindd

    But only momentarily.

    /var/log/samba/wb-2HUKWOK2.log is full of this:

    [2009/03/30 14:49:10, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(152)
    error getting user info for sid S-1-5-21-1483448500-3058526776-1278923618-1147

    However, I can do this:

    [root@twohus153 samba]# wbinfo --krb5auth=2HUKWOK2.local+adminuser%adminpass
    plaintext kerberos password authentication for [2HUKWOK2.local+adminuser%adminpass] succeeded (requesting cctype: FILE)
    no credentials cached

    So that means I'm talking to the DC, right? Where, then, is the breakdown?

  10. #9
    Just Joined!
    Join Date
    Jun 2008
    Location
    Spring, TX
    Posts
    14
    Problem solved. I'll post the fix for the benefit of anyone else who may ever have this issue.

    Centos 5 ships with Samba 3.0.28. Copying and pasting a line from the winbind log into the Google yielded this page:
    [Samba] winbind between trusted domains really acting up under 3.0.28a
    Apparently Googling variations of "samba AD domain trust problem" wasn't specific enough.

    It seems Samba 3.0.28 broke the ability to use samba shares across AD domain trusts. I upgraded to Samba 3.3.2, and it works now.

    Cheers,
    Rob

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •