System Administration
Showing results for 
Search instead for 
Did you mean: 

CIFS Server/Samba and trusted domains

Danny Petterson - DK
Trusted Contributor

CIFS Server/Samba and trusted domains

Hi Gurus!

I got quite a problem. Have a share on a CIFS Server, A.02.03.04 on 11.31. The Samba is a member of a Windows AD, Domain1. Domain has trust-relationshop to Domain2. Some of the users who should access this share are not located in Domain1 but in Domain2. Users from Domain1 can access the share, but it fails for users from Domain2. On windows-severs in the AD, this relationship works fine.

The errors:

2010/06/16 10:29:35, 1] libsmb/clikrb5.c:ads_krb5_mk_req(486)
ads_krb5_mk_req: krb5_get_credentials failed for domaincontroller$@Domain2 (Server not found in Kerberos database)
[2010/06/16 10:29:35, 1] nsswitch/winbindd_ads.c:ads_cached_connection(108)
ads_connect for domain Domain2 failed: Server not found in Kerberos database

[2010/06/16 10:29:35, 2] auth/auth.c:check_ntlm_password(302)
check_ntlm_password: authentication for user [Domain2-user] -> [Domain2-user] -> [Domain2-user] succeeded
[2010/06/16 10:29:35, 2] smbd/service.c:make_connection_snum(324)
user 'Domain2-user' (from session setup) not permitted to access this share (myshare)
[2010/06/16 10:29:46, 0] lib/util_sock.c:read_data(528)
read_data: read failure for 4 bytes to client Error = Connection reset by peer
[2010/06/16 10:29:46, 2] smbd/server.c:exit_server(637)

My smb.conf:

workgroup = Domain1
realm = Domain1
netbios name = myshare0v
security = ADS
password server = adcontroller001.Domain1, *
log level = 2
log file = /var/opt/samba/log.%m
max log size = 1000
panic action = /var/opt/samba/panic-action %d
idmap backend = adex
idmap uid = 50000-60000
idmap gid = 50000-60000
template shell = /usr/bin/ksh
winbind separator = +
winbind cache time = 3000
idmap config Domain2:gid = 60000-80000
idmap config Domain2:uid = 60000-80000
idmap config Domain2:backend = adex
read only = No
dos filetime resolution = Yes

path = /myshare
valid users = Domain1+Domain1-user, Domain2+Domain2-user

Any suggestions will be appreciated.

Thanks in advance
Danny Petterson
Modris Bremze
Esteemed Contributor

Re: CIFS Server/Samba and trusted domains

Danny Petterson - DK
Trusted Contributor

Re: CIFS Server/Samba and trusted domains


Thanks for your reply.

Kerberos is fine, I can kinit to users on both Domain1 and Domain2.

Dany Petterson
Danny Petterson - DK
Trusted Contributor

Re: CIFS Server/Samba and trusted domains

Hi again!

If it helps, I can clarify the trust relationship, and what I think might be the problem:

Domain1 trusts Domain2 not vice versa - which means that Domain1 trusts users from Domain2, but Domains2 does not trust anything from Domain1. In a "clean" Windows-environment this is not a problem, when someone from Domain2 accesses a share on Domain1, the AD just lets Domain2 validate the user, and then grants the access.

However, CIFS/Samba, apparently, in my configuration anyway, looks like it tries to talk to Domain2 directly, without letting the AD passing the credentials on - making it impossible for Domain2-users to access the share on CIFS.

I suppose its because I configure something wrong in the smb.conf to support this - I just don't know what.....

Hope someone has a clue.....

Modris Bremze
Esteemed Contributor

Re: CIFS Server/Samba and trusted domains

There is no "allow trusted domains" parameter in your smb.conf. Although it should default to "yes", try adding it to make sure.

You could try removing access restrictions (empty valid users) so that anyone can access the share and check if it makes any difference for domain2 users. Also, consider setting a more verbose log level. That could yield something useful.

"+" as "winbind separator" could cause some problems when using NIS.
Marty Garcia
Occasional Visitor

Re: CIFS Server/Samba and trusted domains

If the DC is Windows 2008 r2 OS, you will have issues.
Steven E. Protter
Exalted Contributor

Re: CIFS Server/Samba and trusted domains

Shalom Danny,

I suspect though the errors are coming out in the Samba log on HP-UX that the problem may be a bug in the trust relationship between the two Windows Servers.

Real World testing on a single sign on project a few years ago led me to find out the following.

This will not work with Windows Server 2003 unless updated to Release two or having specific Windows patches installed.

I have read there are similar problems with Windows Server 2008 and some specific patches are required for the work.

Steven E Protter
Owner of ISN Corporation