HPE Community
Operating System - HP-UX
1821804 Members
3285 Online
109637 Solutions
New Discussion юеВ

CIFS Server/Samba and trusted domains

 
Danny Petterson - DK
Trusted Contributor

тАО06-16-2010 12:51 AM

тАО06-16-2010 12:51 AM

CIFS Server/Samba and trusted domains

Hi Gurus!

I got quite a problem. Have a share on a CIFS Server, A.02.03.04 on 11.31. The Samba is a member of a Windows AD, Domain1. Domain has trust-relationshop to Domain2. Some of the users who should access this share are not located in Domain1 but in Domain2. Users from Domain1 can access the share, but it fails for users from Domain2. On windows-severs in the AD, this relationship works fine.

The errors:

2010/06/16 10:29:35, 1] libsmb/clikrb5.c:ads_krb5_mk_req(486)
ads_krb5_mk_req: krb5_get_credentials failed for domaincontroller$@Domain2 (Server not found in Kerberos database)
[2010/06/16 10:29:35, 1] nsswitch/winbindd_ads.c:ads_cached_connection(108)
ads_connect for domain Domain2 failed: Server not found in Kerberos database

[2010/06/16 10:29:35, 2] auth/auth.c:check_ntlm_password(302)
check_ntlm_password: authentication for user [Domain2-user] -> [Domain2-user] -> [Domain2-user] succeeded
[2010/06/16 10:29:35, 2] smbd/service.c:make_connection_snum(324)
user 'Domain2-user' (from session setup) not permitted to access this share (myshare)
[2010/06/16 10:29:46, 0] lib/util_sock.c:read_data(528)
read_data: read failure for 4 bytes to client 172.30.6.132. Error = Connection reset by peer
[2010/06/16 10:29:46, 2] smbd/server.c:exit_server(637)

My smb.conf:


[global]
workgroup = Domain1
realm = Domain1
netbios name = myshare0v
security = ADS
password server = adcontroller001.Domain1, *
log level = 2
log file = /var/opt/samba/log.%m
max log size = 1000
panic action = /var/opt/samba/panic-action %d
idmap backend = adex
idmap uid = 50000-60000
idmap gid = 50000-60000
template shell = /usr/bin/ksh
winbind separator = +
winbind cache time = 3000
idmap config Domain2:gid = 60000-80000
idmap config Domain2:uid = 60000-80000
idmap config Domain2:backend = adex
read only = No
dos filetime resolution = Yes

[myshare]
path = /myshare
valid users = Domain1+Domain1-user, Domain2+Domain2-user

Any suggestions will be appreciated.

Thanks in advance
Danny Petterson
0 Kudos
Reply
6 REPLIES 6
Modris Bremze
Esteemed Contributor

тАО06-16-2010 03:27 AM

тАО06-16-2010 03:27 AM

Re: CIFS Server/Samba and trusted domains

And how about kerberos config file?

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member

0 Kudos
Reply
Danny Petterson - DK
Trusted Contributor

тАО06-16-2010 03:55 AM

тАО06-16-2010 03:55 AM

Re: CIFS Server/Samba and trusted domains

Hi!

Thanks for your reply.

Kerberos is fine, I can kinit to users on both Domain1 and Domain2.

Yours
Dany Petterson
0 Kudos
Reply
Danny Petterson - DK
Trusted Contributor

тАО06-16-2010 06:55 AM

тАО06-16-2010 06:55 AM

Re: CIFS Server/Samba and trusted domains

Hi again!

If it helps, I can clarify the trust relationship, and what I think might be the problem:

Domain1 trusts Domain2 not vice versa - which means that Domain1 trusts users from Domain2, but Domains2 does not trust anything from Domain1. In a "clean" Windows-environment this is not a problem, when someone from Domain2 accesses a share on Domain1, the AD just lets Domain2 validate the user, and then grants the access.

However, CIFS/Samba, apparently, in my configuration anyway, looks like it tries to talk to Domain2 directly, without letting the AD passing the credentials on - making it impossible for Domain2-users to access the share on CIFS.

I suppose its because I configure something wrong in the smb.conf to support this - I just don't know what.....

Hope someone has a clue.....

Yours
Danny
0 Kudos
Reply
Modris Bremze
Esteemed Contributor

тАО06-16-2010 11:50 AM

тАО06-16-2010 11:50 AM

Re: CIFS Server/Samba and trusted domains

There is no "allow trusted domains" parameter in your smb.conf. Although it should default to "yes", try adding it to make sure.

You could try removing access restrictions (empty valid users) so that anyone can access the share and check if it makes any difference for domain2 users. Also, consider setting a more verbose log level. That could yield something useful.

"+" as "winbind separator" could cause some problems when using NIS.

http://samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html

http://samba.org/samba/docs/man/Samba-HOWTO-Collection/problems.html
0 Kudos
Reply
Marty Garcia
New Member

тАО11-01-2010 08:58 AM

тАО11-01-2010 08:58 AM

Re: CIFS Server/Samba and trusted domains

If the DC is Windows 2008 r2 OS, you will have issues.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО11-01-2010 09:19 AM

тАО11-01-2010 09:19 AM

Re: CIFS Server/Samba and trusted domains

Shalom Danny,

I suspect though the errors are coming out in the Samba log on HP-UX that the problem may be a bug in the trust relationship between the two Windows Servers.

Real World testing on a single sign on project a few years ago led me to find out the following.

This will not work with Windows Server 2003 unless updated to Release two or having specific Windows patches installed.

I have read there are similar problems with Windows Server 2008 and some specific patches are required for the work.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.