All,
I have a Samba 3.0.4 server running on AIX 5.2. Samba is configured
with PAM, LDAP and Kerberos. The server has been joined to an existing
Windows 2003 domain, and wbinfo -u and wbinfo -g works fine. Users from
the domain that Samba is a member of can authenticate just fine. The
domain is in a one-way trust relationship with another ADS domain (i.e.
Samba is a member of domain A, users from domain B can access any
machines in domain A, but not vice versa). When a user from domain B
tries to connect to the Samba share, I get a Kerberos error in the
winbindd logs when the Samba server is trying to set up a session with
the DC in domain B.
I had this working, and then I made the mistake of running SWAT, which
blew away my smb.conf file. Can someone tell me if I'm missing
something and if so, what?
Smb.conf:
# Samba config file created using SWAT
# from 162.10.170.129 (162.10.170.129)
# Date: 2005/08/11 14:13:47
# Global parameters
[global]
workgroup = DEVELOPMENT
realm = READING.DEVPORTAL.NET
encrypt passwords = yes
security = ADS
password server = usrd106.reading.devportal.net
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
use spnego = yes
client use spnego = yes
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = true
[public]
comment = Public data directory
path = /sambapublic
username = @"DEVELOPMENT+Domain Users",@"CORP+Domain
Users"
read list = @"DEVELOPMENT+Domain Users",@"CORP+Domain
Users"
read only = No
krb5.conf:
[libdefaults]
default_realm = READING.DEVPORTAL.NET
[domain_realm]
.reading.devportal.net = READING.DEVPORTAL.NET
.devportal.net = READING.DEVPORTAL.NET
[realms]
READING.DEVPORTAL.NET = {
kdc = usrd106.reading.devportal.net
default_domain = reading.devportal.net
}
[logging]
kdc = FILE:/var/heimdal/kdc.log
kdc = SYSLOG:INFO
default = SYSLOG:INFO:USER
Winbindd log:
[2005/08/12 09:07:08, 1] nsswitch/winbindd.c:main(843)
winbindd version 3.0.4 started.
Copyright The Samba Team 2000-2004
[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain DEVELOPMENT READING.DEVPORTAL.NET S-0-0
[2005/08/12 09:07:08, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
krb5_cc_get_principal failed (A file or directory in the path name
does not ex
ist.)
[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain CORP S-1-5-21-2817246239-1260869369-510543907
[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain OZ S-1-5-21-2070835033-1539587657-2044928816
[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain BUILTIN S-1-5-32
[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain FLOATER S-1-5-21-1519954005-851123223-2065552488
[2005/08/12 09:07:20, 1] libsmb/clikrb5.c:ads_krb5_mk_req(314)
krb5_get_credentials failed for usrd105$@CORP.ANACOMP.COM (Unknown
error -1765
328377)
[2005/08/12 09:07:20, 1]
libsmb/cliconnect.c:cli_session_setup_kerberos(541)
spnego_gen_negTokenTarg failed: Unknown error -1765328377
[2005/08/12 09:07:20, 1] libsmb/clikrb5.c:ads_krb5_mk_req(314)
krb5_get_credentials failed for usrd105$@CORP.ANACOMP.COM (Unknown
error -1765
328377)
[2005/08/12 09:07:20, 1] libsmb/clikrb5.c:ads_krb5_mk_req(314)
krb5_get_credentials failed for usrd105$@CORP.ANACOMP.COM (Unknown
error -1765
328377)
...skipping...
Added domain DEVELOPMENT READING.DEVPORTAL.NET S-0-0
[2005/08/12 09:07:08, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
krb5_cc_get_principal failed (A file or directory in the path name
does not exist.)
[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)
Thanks,
Ron
