Now I don't have idmap errors, but the user from the trusted domain still can't connect, this is what the debug logs when the user from the trusted domain tries to connect:
Added domain EU15 wineur.EU15.com S-1-5-21-2139401007-2349514585-891123631 [ 0]: request interface version [ 0]: request location of privileged pipe [ 0]: domain_info [EU15] [ 8520]: Get DC name for EU15 cm_get_ipc_userpass: No auth-user defined Doing spnego session setup (blob length=122) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got [EMAIL PROTECTED] Doing kerberos session setup Ticket in ccache[MEMORY:cliconnect] expiration Tue, 04 Jul 2006 00:07:28 IDT rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xe bind request returned ok. rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xf bind request returned ok. lsa_io_sec_qos: length c does not match size 8 [ 0]: pam auth crap domain: [EU15] user: test1 [ 8520]: pam auth crap domain: EU15 user: test1 [ 0]: request interface version [ 0]: request location of privileged pipe [ 0]: domain_info [EU15] [ 0]: pam auth crap domain: [EU15] user: test1 [ 8520]: pam auth crap domain: EU15 user: test1 [ 0]: request interface version [ 0]: request location of privileged pipe [ 0]: domain_info [EU15] [ 0]: pam auth crap domain: [EU15] user: test1 [ 8520]: pam auth crap domain: EU15 user: test1 [ 0]: request interface version [ 0]: request location of privileged pipe [ 0]: domain_info [EU15] [ 0]: pam auth crap domain: [EU15] user: test1 [ 8520]: pam auth crap domain: EU15 user: test1 [ 0]: domain_info [EU15] [ 0]: pam auth crap domain: [EU15] user: test1 [ 8520]: pam auth crap domain: EU15 user: test1 -----Original Message----- From: Michael Gasch [mailto:[EMAIL PROTECTED] Sent: Monday, July 03, 2006 1:19 PM To: Nir Barkan Cc: samba@lists.samba.org Subject: Re: [Samba] Samba and trusted domains for trusted domains to work you have to use either tdbsam or ldap backend. donĀ“t know whether ad works, though. this should work for you: # idmap backend = # please comment out for tdbsam idmap uid = 10000-100000 idmap gid = 10000-100000 winbind use default domain = Yes # your choice winbind trusted domains only = no # must allow trusted domains = yes # must greez Nir Barkan wrote: > > I tried all the combinations on the "idmap backend" line and still have > errors. > > What is the exact "idmap backend" line that I should add to my smb.conf file > when "ITGIL" = my domain and "EU15" = my trusted domain? > > Thanks, > > Nir > > -----Original Message----- > From: Michael Gasch [mailto:[EMAIL PROTECTED] > Sent: Monday, July 03, 2006 11:22 AM > To: Nir Barkan > Cc: samba@lists.samba.org > Subject: Re: [Samba] Samba and trusted domains > > :) > > > idmap backend = ITGIL=10000-19999,EU15=20000-30000 > this is not correct semantic ;) > > example: > idmap backend = rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000" > > this should work > > greez > > > Nir Barkan wrote: >> I added the idmap backend to my smb.conf as you suggested >> >> >> idmap backend = ITGIL=10000-19999,EU15=20000-30000 >> >> I get the following (on the winbind debug): >> >> idmap_init: using 'ITGIL=10000-19999' as remote backend >> Error loading module '/opt/local/lib/idmap/ITGIL=10000-19999.so': ld.so.1: >> ./winbindd: fatal: /opt/local/lib/idmap/ITGIL=10000-19999.so: open failed: >> No such file or directory >> idmap_init: could not load remote backend 'ITGIL=10000-19999' >> Could not init idmap -- netlogon proxy only >> >> The idmap directory exists; do I need to run something manually? >> >> P.S >> >> ITGIL = my domain >> EU15 = my trusted domain >> >> Thanks, >> >> Nir >> >> >> -----Original Message----- >> From: Michael Gasch [mailto:[EMAIL PROTECTED] >> Sent: Sunday, July 02, 2006 9:46 PM >> To: Nir Barkan >> Cc: samba@lists.samba.org >> Subject: Re: [Samba] Samba and trusted domains >> >> you should do something like >> >> idmap backend = "MYDOMAIN=10000-19999,TRUSTEDDOMAINNAME=20000-100000000" >> >> as i already wrote in a posting before. this won't work with idmap_rid, >> but with all other backend. >> i think you can stay with "winbind trusted domains only". >> >> you should also run winbindd in interactive mode and debug level 3. >> then you should see something like "init idmap backend for DOMAIN >> MYDOMAIN, init idmap backend for DOMAIN TRUSTEDDOMAINNAME" >> >> greez >> >> >> Nir Barkan wrote: >>> Id test1 not working >>> >>> Wbinfo -u return DomainName username (EUROPE test1) >>> >>> The user is from trusted domain >>> >>> I defined idmap uid = 10000-2000 and idmap gid = 10000-20000 on my >>> smb.conf, Do I need to define something more? >>> >>> Thanks, >>> >>> Nir >>> >>> -----Original Message----- >>> From: Michael Gasch [mailto:[EMAIL PROTECTED] >>> Sent: Friday, June 30, 2006 4:12 PM >>> To: Nir Barkan >>> Cc: samba@lists.samba.org >>> Subject: Re: [Samba] Samba and trusted domains >>> >>> > Id test1 not working >>> but wbinfo -u shows it? >>> if so you have a problem with with mapping samba accounts to unix >> accounts. >>> is it a user from a trusted domain (to get back to the thread title)? >>> >>> > My dc is windows 2003 DC, do I need to install something on it? >>> no >>> >>> greez >>> >>> Nir Barkan wrote: >>> >>>> Id test1 not working >>>> >>>> I tried without "winbind trusted domains only = Yes" and got the same >>>> results. >>>> >>>> My dc is windows 2003 DC, do I need to install something on it? >>>> >>>> P.S >>>> >>>> Thanks much for your help :-) >>>> >>>> -----Original Message----- >>>> From: Michael Gasch [mailto:[EMAIL PROTECTED] >>>> Sent: Thursday, June 29, 2006 1:19 PM >>>> To: Nir Barkan >>>> Cc: samba@lists.samba.org >>>> Subject: Re: [Samba] Samba and trusted domains >>>> >>>> >>>>> "Id <username_from_local_domain_without_prefix_domainname" give me the >>>> user >>>> >>>>> uid and gid. >>>> good >>>> >>>> some further questions: >>>> - does "id test1" work? >>>> - why did you set "winbind trusted domains only = Yes" >>>> >>>> for trusted domains to work, you have to use winbind on your DC. >>>> furthermore on each member server you have to specify an idmap range for > >>>> each domain, like >>>> >>>> idmap backend = "MYDOMAIN=10000-19999,TRUSTEDDOMAIN=20000-100000000" >>>> >>>> greez >>>> >>>> >>>> >> >> >> > -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT Staff) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 49 (0)341 - 3550 374 Fax: 49 (0)341 - 3550 399 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba