Samba server, Domain trusts

Installing, Configuring, Troubleshooting server daemons such as Web and Mail

Samba server, Domain trusts

Postby rob_b » 2009/03/27 15:17:09

Background: I'm the IT guy at the Houston, TX branch of an international company with offices in four countries. Our network is Window$ server 2003 AD, with independent domains for each location, with trusts between each. I'd rather see a domain forest with each office being a member, but that's another rant.

I built a linux box to be a file server here in my office. It's running CentOS 5.1, with Samba configured to be a domain member. I'll post contents of the config files at the end, but basically, members of my local domain can access the samba share, but members of the trusted domains cannot. I'm pulling my hair out here.


workgroup = 2hushou1
password server = 2hus037
realm = 2HUSHOU1
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = false
allow trusted domains = Yes
winbind separator = +
passdb backend = tdbsam
cups options = raw
server string =
encrypt passwords = yes

comment = All Printers
path = /var/spool/samba
printable = yes

comment = V: Drive
path = /V
read only = yes
; browseable = yes
; guest ok = yes
admin users = "+2HUSHOU1+administrators"
valid users = "+2HUSHOU1+administrators", "+2HUSHOU1+access to v (r)", "+2HUKWOK2.local+access to v (r)", "+2HMYKUA1.local+access to v (r)", "+2HBRRIO1.local+access to v (r)", 2hukwok2+domainadmin
write list = "+2HUSHOU1+document control team", "+2HUSHOU1+administrators"


default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = 2HUSHOU1
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

kdc =
admin_server =
default_domain =

2HUSHOU1 = {
kdc =
admin_server = 2hus037.2HUSHOU1
kdc =

2HUKWOK2 = {
kdc =
admin_server = 2h115.2hukwok2.local
default_domain = 2hukwok2.local

[domain_realm] = EXAMPLE.COM = EXAMPLE.COM

2hushou1 = 2HUSHOU1
.2hushou1 = 2HUSHOU1

2hukwok2.local = 2HUKWOK2.local
.2hukwok2.local = 2HUKWOK2.local

pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

"net ads testjoin" returns Join is OK, and "wbinfo -a" successfully authenticates members of the 2HUKWOK2.local trusted domain. However, "wbinfo -r" returns an error for members of the trusted domains, and I suspect this is why they can't access the share, but I may be wrong.

[root@twohus153 ~]# net rpc trustdom list -U2HUSHOU1+adminuser%adminpass
Trusted domains list:

2HUKWOK2 S-1-5-21-1483448500-3058526776-1278923618
2HBRRIO1 S-1-5-21-3648243851-1836489355-1408670573
2HMYKUA1 S-1-5-21-258026591-1181637403-2273559695

Trusting domains list:

Unable to find a suitable server
domain controller is not responding
Unable to find a suitable server
domain controller is not responding
Unable to find a suitable server
domain controller is not responding

The above could also be the source of my problem. I'm out of ideas. Any gurus out there that can tell me what I'm doing wrong?
Posts: 3
Joined: 2009/03/27 15:10:47

Re: Samba server, Domain trusts

Postby davecgs » 2009/03/30 20:00:28

It's a very interesting problem. Sadly, my experience with Samba is one domain and not this crazy windows setup you have -- I feel sorry for you. That's a mess. Who in the world set that up? Trying to integrate Samba in this is a headache.

However, let me stew over it for a couple of days and see if I can see something. In the meantime I assume that the password server is your Windows domain and I assume it's a 2003 server or it the dreaded Windows Vista Server?
Posts: 46
Joined: 2009/03/29 16:01:58

Re: Samba server, Domain trusts

Postby rob_b » 2009/03/30 21:36:33

Thanks for the response. The guys in the UK office set things up this way, and I'm kicking and screaming to get us to migrate to a directory forest structure, i.e. how it should have been done to begin with, but they can't be bothered. Too much work, they say.

Anyway, I've got more information, which I'll post here...

> [root@twohus153 ~]# netstat -anp | grep 445
tcp 0 0* LISTEN 2617/smbd
tcp 0 0 ESTABLISHED 2962/smbd
tcp 0 0 ESTABLISHED 3373/smbd
tcp 0 0 ESTABLISHED 3142/smbd
tcp 0 0 ESTABLISHED 3118/smbd
tcp 0 0 ESTABLISHED 3016/smbd
tcp 0 0 ESTABLISHED 2631/winbindd
tcp 0 0 ESTABLISHED 2640/winbindd
tcp 0 0 TIME_WAIT - <<< UK DC / DNS server 2HUKWOK2.local
tcp 0 0 TIME_WAIT -
tcp 0 0 TIME_WAIT -
tcp 0 0 TIME_WAIT - <<< Kuala Lumpur DC / DNS Server 2HMYKUA1.local
tcp 0 0 TIME_WAIT -
tcp 0 0 TIME_WAIT - <<< Local DC / DNS Server
tcp 0 0 TIME_WAIT -

From another forum:

Originally Posted by HROAdmin26 View Post
(You *might* be able to cheat and do something like put the domain name [2HBRRIO] into the Samba server's /etc/hosts file and point it to an IP of a DC for that domain - you might also try the FQDN for the domain. I've done things like that in small/test environments in the past.)

Tried this, and it doesn't help. DNS seems to be functioning properly. An attempt to connect to the share by a UK user yields a connection on port 445 to a UK DC, a la

tcp 0 0 ESTABLISHED 5250/winbindd

But only momentarily.

/var/log/samba/wb-2HUKWOK2.log is full of this:

[2009/03/30 14:49:10, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(152)
error getting user info for sid S-1-5-21-1483448500-3058526776-1278923618-1147

However, I can do this:

[root@twohus153 samba]# wbinfo --krb5auth=2HUKWOK2.local+adminuser%adminpass
plaintext kerberos password authentication for [2HUKWOK2.local+adminuser%adminpass] succeeded (requesting cctype: FILE)
no credentials cached

So that means I'm talking to the DC, right? Where, then, is the breakdown?
Posts: 3
Joined: 2009/03/27 15:10:47

Re: Samba server, Domain trusts

Postby rob_b » 2009/04/01 14:14:25

Problem solved. I'll post the fix for the benefit of anyone else who may ever have this issue.

Centos 5 ships with Samba 3.0.28. Copying and pasting a line from the winbind log into the Google yielded this page: ... 39422.html
Apparently Googling variations of "samba AD domain trust problem" wasn't specific enough.

It seems Samba 3.0.28 broke the ability to use samba shares across AD domain trusts. I upgraded to Samba 3.3.2, and it works now.

Posts: 3
Joined: 2009/03/27 15:10:47

Return to CentOS 5 - Server Support

Who is online

Users browsing this forum: No registered users and 1 guest