Hi there We have a bunch of Samba 3.0.10+ CentOS4.4 servers that are working 100% fine when connected to from users who are members of the same ADS domain our Samba servers are members of. However, users from other ADS domains (we are all W2K3-based) on our network cannot connect - they get NT_STATUS_ACCESS_DENIED. The shares they are trying to connect to have no share-level permission checks - we want any valid account to be able to connect.
auth methods = "sam, winbind", winbind is used and "wbinfo -m" shows the domains we trust. And yet people in those domains cannot login. ntlm_auth - which uses winbind - is able to authenticate such accounts - but it looks like Samba "doesn't care" what winbind thinks - it must be blocking for another reason. The logs show Samba starts as expected by looking up "otherDom\username", but it always falls back to doing Get_Pwnam_internals calls to winbind on the username by itself, and obviously receives a "no such user" error from winbind. winbind settings in smb.conf are: auth methods = winbind winbind separator = \ winbind cache time = 3600 winbind enum users = Yes winbind enum groups = No winbind use default domain = No winbind trusted domains only = No winbind nested groups = Yes winbind nss info = template winbind refresh tickets = No winbind offline logon = No We have tried this with both "security = domain" and "security = ADS" - no difference. "finger myDomain\\username" works, but "finger otherDomain\\username" immediately fails, with log.wb-otherDomain reporting error getting user info for sid S-1-5-21-1644491937-1078081533-682003330-6760 ...and yet "wbinfo --sid-to-name" maps that back to the correct username, and "wbinfo --name-to-sid" maps the username to the same SID. As mentioned earlier, ntlm_auth with such an account and correct password returns OK. Any ideas? It smells so close to working... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba