Samba server, Domain trusts

Installing, Configuring, Troubleshooting server daemons such as Web and Mail

Samba server, Domain trusts

Postby rob_b » 2009/03/27 15:17:09

Background: I'm the IT guy at the Houston, TX branch of an international company with offices in four countries. Our network is Window$ server 2003 AD, with independent domains for each location, with trusts between each. I'd rather see a domain forest with each office being a member, but that's another rant.

I built a linux box to be a file server here in my office. It's running CentOS 5.1, with Samba configured to be a domain member. I'll post contents of the config files at the end, but basically, members of my local domain can access the samba share, but members of the trusted domains cannot. I'm pulling my hair out here.

/etc/samba/smb.conf:

workgroup = 2hushou1
password server = 2hus037
realm = 2HUSHOU1
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = false
allow trusted domains = Yes
winbind separator = +
passdb backend = tdbsam
cups options = raw
server string =
encrypt passwords = yes

[printers]
comment = All Printers
path = /var/spool/samba
printable = yes

[V]
comment = V: Drive
path = /V
read only = yes
; browseable = yes
; guest ok = yes
admin users = "+2HUSHOU1+administrators"
valid users = "+2HUSHOU1+administrators", "+2HUSHOU1+access to v (r)", "+2HUKWOK2.local+access to v (r)", "+2HMYKUA1.local+access to v (r)", "+2HBRRIO1.local+access to v (r)", 2hukwok2+domainadmin
write list = "+2HUSHOU1+document control team", "+2HUSHOU1+administrators"



/etc/krb5.conf:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = 2HUSHOU1
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}

2HUSHOU1 = {
kdc = 192.168.1.22
admin_server = 2hus037.2HUSHOU1
kdc = 192.168.1.22
}

2HUKWOK2 = {
kdc = 192.168.0.34
admin_server = 2h115.2hukwok2.local
default_domain = 2hukwok2.local
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

2hushou1 = 2HUSHOU1
.2hushou1 = 2HUSHOU1

2hukwok2.local = 2HUKWOK2.local
.2hukwok2.local = 2HUKWOK2.local

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}


"net ads testjoin" returns Join is OK, and "wbinfo -a" successfully authenticates members of the 2HUKWOK2.local trusted domain. However, "wbinfo -r" returns an error for members of the trusted domains, and I suspect this is why they can't access the share, but I may be wrong.

[root@twohus153 ~]# net rpc trustdom list -U2HUSHOU1+adminuser%adminpass
Trusted domains list:

2HUKWOK2 S-1-5-21-1483448500-3058526776-1278923618
2HBRRIO1 S-1-5-21-3648243851-1836489355-1408670573
2HMYKUA1 S-1-5-21-258026591-1181637403-2273559695

Trusting domains list:

Unable to find a suitable server
domain controller is not responding
Unable to find a suitable server
domain controller is not responding
Unable to find a suitable server
domain controller is not responding
2HUKWOK2 2HBRRIO1 2HMYKUA1

The above could also be the source of my problem. I'm out of ideas. Any gurus out there that can tell me what I'm doing wrong?
rob_b
 
Posts: 3
Joined: 2009/03/27 15:10:47

Re: Samba server, Domain trusts

Postby davecgs » 2009/03/30 20:00:28

It's a very interesting problem. Sadly, my experience with Samba is one domain and not this crazy windows setup you have -- I feel sorry for you. That's a mess. Who in the world set that up? Trying to integrate Samba in this is a headache.

However, let me stew over it for a couple of days and see if I can see something. In the meantime I assume that the password server is your Windows domain and I assume it's a 2003 server or it the dreaded Windows Vista Server?
davecgs
 
Posts: 46
Joined: 2009/03/29 16:01:58

Re: Samba server, Domain trusts

Postby rob_b » 2009/03/30 21:36:33

Thanks for the response. The guys in the UK office set things up this way, and I'm kicking and screaming to get us to migrate to a directory forest structure, i.e. how it should have been done to begin with, but they can't be bothered. Too much work, they say.

Anyway, I've got more information, which I'll post here...

> [root@twohus153 ~]# netstat -anp | grep 445
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2617/smbd
tcp 0 0 192.168.1.27:445 192.168.1.73:1362 ESTABLISHED 2962/smbd
tcp 0 0 192.168.1.27:445 192.168.1.239:1723 ESTABLISHED 3373/smbd
tcp 0 0 192.168.1.27:445 192.168.1.233:1397 ESTABLISHED 3142/smbd
tcp 0 0 192.168.1.27:445 192.168.1.155:2578 ESTABLISHED 3118/smbd
tcp 0 0 192.168.1.27:445 192.168.1.67:3757 ESTABLISHED 3016/smbd
tcp 0 0 192.168.1.27:37341 192.168.1.22:445 ESTABLISHED 2631/winbindd
tcp 0 0 192.168.1.27:58828 192.168.1.22:445 ESTABLISHED 2640/winbindd
tcp 0 0 192.168.1.27:49710 192.168.4.5:445 TIME_WAIT - <<< UK DC / DNS server 2HUKWOK2.local
tcp 0 0 192.168.1.27:49692 192.168.4.5:445 TIME_WAIT -
tcp 0 0 192.168.1.27:49694 192.168.4.5:445 TIME_WAIT -
tcp 0 0 192.168.1.27:56741 192.168.2.1:445 TIME_WAIT - <<< Kuala Lumpur DC / DNS Server 2HMYKUA1.local
tcp 0 0 192.168.1.27:56727 192.168.2.1:445 TIME_WAIT -
tcp 0 0 192.168.1.27:53100 192.168.1.22:445 TIME_WAIT - <<< Local DC / DNS Server
tcp 0 0 192.168.1.27:53064 192.168.1.22:445 TIME_WAIT -

From another forum:


Quote:
Originally Posted by HROAdmin26 View Post
(You *might* be able to cheat and do something like put the domain name [2HBRRIO] into the Samba server's /etc/hosts file and point it to an IP of a DC for that domain - you might also try the FQDN for the domain. I've done things like that in small/test environments in the past.)

Tried this, and it doesn't help. DNS seems to be functioning properly. An attempt to connect to the share by a UK user yields a connection on port 445 to a UK DC, a la

tcp 0 0 192.168.1.27:40149 192.168.4.5:445 ESTABLISHED 5250/winbindd

But only momentarily.

/var/log/samba/wb-2HUKWOK2.log is full of this:

[2009/03/30 14:49:10, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(152)
error getting user info for sid S-1-5-21-1483448500-3058526776-1278923618-1147

However, I can do this:

[root@twohus153 samba]# wbinfo --krb5auth=2HUKWOK2.local+adminuser%adminpass
plaintext kerberos password authentication for [2HUKWOK2.local+adminuser%adminpass] succeeded (requesting cctype: FILE)
no credentials cached

So that means I'm talking to the DC, right? Where, then, is the breakdown?
rob_b
 
Posts: 3
Joined: 2009/03/27 15:10:47

Re: Samba server, Domain trusts

Postby rob_b » 2009/04/01 14:14:25

Problem solved. I'll post the fix for the benefit of anyone else who may ever have this issue.

Centos 5 ships with Samba 3.0.28. Copying and pasting a line from the winbind log into the Google yielded this page:
http://lists.samba.org/archive/samba/20 ... 39422.html
Apparently Googling variations of "samba AD domain trust problem" wasn't specific enough.

It seems Samba 3.0.28 broke the ability to use samba shares across AD domain trusts. I upgraded to Samba 3.3.2, and it works now.

Cheers,
Rob
rob_b
 
Posts: 3
Joined: 2009/03/27 15:10:47


Return to CentOS 5 - Server Support

Who is online

Users browsing this forum: No registered users and 1 guest