Nevermind--problem resolved...
Lock/delete
Thanks!

[Edited on November 24, 2008 at 3:26 PM. Reason : .]

11/24/2008 3:23:34 PM

lol i came in here expecting to whip out my samba epeen

it is now put away, however

11/24/2008 3:58:16 PM

^ good

that thing is dangerous

11/24/2008 4:54:53 PM

lock/delete/.....suspend?

11/24/2008 6:23:18 PM

I wanna see Evans samba epeen.


How do I authenticate a user on one domain to a samba share on another domain using their own domain credentials?

11/26/2008 10:18:44 AM

you need to set up a trust between the domains so they can authenticate against each other

then add permissions like you normally would

11/26/2008 11:52:16 AM

Set up the trusts and added the Domain+users in smb.conf.


I'll post some command results later.

I'm thinking it's a pam or kerberos problem

11/26/2008 12:11:05 PM

I can now access samba shares on domainb from a domaina work station using domaina credentials only as my account which is a domain admin. Can't not get regular users to access cross domain shares.

Error in samba log

Error getting user info for sid #

I can wbinfo -n domaina+user and it returns the correct sid that's in the log.

Running above command on Linux box on domainb

12/9/2008 3:09:39 PM

is that error from the winbindd log?

did you define both the realms in krb5.conf?

12/9/2008 3:15:00 PM

its in the log.wb-DOMAINA


I had at one time both domains listed in krb5.conf but I took domaina out. I'll add it back and try again tomorrow.

12/9/2008 5:53:30 PM

bump


still can only access samba shares cross domain with my domain admin account only.

12/20/2008 1:52:29 PM

get a krb ticket and then do smbclient -L server -k

then klist and see what tickets you have

[Edited on December 20, 2008 at 2:01 PM. Reason : also show me the output of wbinfo -m]

[Edited on December 20, 2008 at 2:03 PM. Reason : also are you using ntlm_auth or just straight winbind]

12/20/2008 1:59:52 PM

I'll try it on monday. I forgot I had turned off my test server yesterday.

wbinfo -m
Its lists both domains

also if I do a:
wbinfo -a domaina+username%password

from a box on domainb it comes back with

plaintext password authentication succeeded
challenge/response password authentication succeeded


I *think* just winbind. How would I know? In nsswitch.conf I have

passwd: files winbind
shadow: files winbind
group: files winbind




[Edited on December 20, 2008 at 2:07 PM. Reason : .]

12/20/2008 2:01:55 PM

hmm

in krb5.conf when you define the realms, did you also define the KDCs for each? winbindd isn't smart enough to look at the SRV records in the domain to find the PDC.

it sounds like you're authenticating correctly but it's having trouble reading info from AD because it can't see the trust. do you have anonymous reads enabled for your domain?

12/20/2008 2:09:16 PM

[libdefaults]

default_realm = DOMAINB.COM
#default_etypes = des-cbc-crc
#default_etypes_des = des-cbc-crc

dns_lookup_realm = false
dns_lookup_kdc = false
[realms]

DOMAINB.COM = {
kdc = server.domainb.com
}


[domain_realms]
.kerberos.server = DOMAINB.COM
.domainb.com = DOMAINB.COM
domainb.com = DOMAINB.COM



This isn't the krb5.conf from my current test server, can't reach it since its powered off. But it should looks similiar unless I made some other changes that I can't remember at the moment


so I need to add

DOMAINA.COM = {
kdc = server.domaina.com
}


I think I've tried that. But since I've messed around with it so much Im not sure what was working and not working

What about these 2 lines? Do they need to be there? Do they need to be true or false?

dns_lookup_realm = false
dns_lookup_kdc = false



I'll have to check the AD for anonymous reads, I didnt set it up so not sure.

[Edited on December 20, 2008 at 2:24 PM. Reason : .]

12/20/2008 2:23:29 PM

i'd take them out, i've never used them before

and yes, you need to add the other domain as a realm

12/20/2008 2:25:15 PM

ok I'll make the changes on monday

Quote :

"do you have anonymous reads enabled for your domain?"

Do you mean in smb.conf or on the domain controller?


Ive got security=ads in smb.conf

[Edited on December 20, 2008 at 3:02 PM. Reason : .]

12/20/2008 2:57:03 PM

on the domain controller

there's an option to allow anonymous read access to the tree, you had to have it enabled to be compatible with windows 2000.

12/20/2008 3:04:36 PM

ohok I'll check on monday. Our DCs are W2k3

12/20/2008 3:05:42 PM

Added the realm still not getting access.

Check_domain_match: attempt to connect as user username from domainb denied

12/22/2008 9:44:18 AM

GD IT!


I finally figured out what the problem was.


I was trying to test the samba shares on my domaina workstation using an account from domainb by mapping a share as the test user.

We finally got around to setting up a workstation on domainb and that user was able to map a share to domaina. Must like not trying to authenticate as another domains user if youre not logged in as that user

12/22/2008 6:07:25 PM

if you use "domain\user" you (should) be able to

[Edited on December 22, 2008 at 6:21 PM. Reason : (log on as a user from another domain)]

12/22/2008 6:20:48 PM

well I was logged in as me on domaina trying to map a samba share as domainb\testuser

that's what wasn't working. But we moved a user over to domainb and had them try to map a samba share as them to a share on domaina and it worked so thats all I needed

12/22/2008 6:25:14 PM

ah well, so much for that theory lol

12/22/2008 6:28:59 PM

Quote :

"But we moved a user over to domainb and had them try to map a samba share as them to a share on domaina and it worked so thats all I needed"

hah well that would certainly do it

12/22/2008 11:52:54 PM