need to authenticate to 2 domains.

ncsuapex · 11-10-2008, 03:00 PM

We are splitting some servers into 2 domains but will need users to be able to authenticate to a server regardless what domain it is on.

We are using Active directory on a W2k3 box to authenticate our users on each domain. On the linux servers we are running winbind/samba/pam/kerberos. What do I need to do to allow users to authenticate to the linux servers?

When I do a wbinfo -m it lists both domains as Trusted Domains. When I do a wbinfo -u it has a list of DOMAIN-B+usernames as well as the usernames of the original domain.

I try to access the server by:
ssh DOMAIN-B+username@servername

put my password in 3 times and it fails.

Permission denied (publickey,gssapi-with-mic,password).

/var/log/secure shows:

Nov 10 15:56:26 servername sshd[20079]: Invalid user DOMAIN-B+username from 192.168.6.10
Nov 10 20:56:26 servername sshd[20082]: input_userauth_request: invalid user DOMAIN-B+username
Nov 10 20:56:26 servername sshd[20082]: Failed none for invalid user DOMAIN-B+username from 192.168.6.10 port 52942 ssh2
Nov 10 15:56:28 servername sshd[20079]: pam_unix(sshd:auth): check pass; user unknown
Nov 10 15:56:28 servername sshd[20079]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=servername2.DOMAIN-B.com
Nov 10 15:56:28 servername sshd[20079]: pam_succeed_if(sshd:auth): error retrieving information about user DOMAIN-B+username
Nov 10 15:56:30 servername sshd[20079]: Failed password for invalid user DOMAIN-B+username from 192.168.6.10 port 52942 ssh2
Nov 10 20:56:30 servername sshd[20082]: Failed password for invalid user DOMAIN-B+username from 192.168.6.10 port 52942 ssh2
Nov 10 15:56:32 servername sshd[20079]: pam_unix(sshd:auth): check pass; user unknown
Nov 10 15:56:32 servername sshd[20079]: pam_succeed_if(sshd:auth): error retrieving information about user DOMAIN-B+username
Nov 10 15:56:34 servername sshd[20079]: Failed password for invalid user DOMAIN-B+username from 192.168.6.10 port 52942 ssh2
Nov 10 20:56:34 servername sshd[20082]: Failed password for invalid user DOMAIN-B+username from 192.168.6.10 port 52942 ssh2
Nov 10 15:56:35 servername sshd[20079]: pam_unix(sshd:auth): check pass; user unknown
Nov 10 15:56:35 servername sshd[20079]: pam_succeed_if(sshd:auth): error retrieving information about user DOMAIN-B+username
Nov 10 15:56:37 servername sshd[20079]: Failed password for invalid user DOMAIN-B+username from 192.168.6.10 port 52942 ssh2
Nov 10 20:56:37 servername sshd[20082]: Failed password for invalid user DOMAIN-B+username from 192.168.6.10 port 52942 ssh2
Nov 10 20:56:37 servername sshd[20082]: Connection closed by 192.168.6.10
Nov 10 15:56:37 servername sshd[20079]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=servername2.DOMAIN-B.com

any ideas?

ncsuapex · 11-11-2008, 11:54 AM

Ok I've got it to where I can log in to the server using both domain credentials but the UID and GID are messed up.

id DOMAIN2+username

uid=10001(DOMAIN2+username) gid=10000(DOMAIN2+group name)

The group name is the correct name of the group on DOMAIN2 but the UID and GID are wrong.

This is what I put in my smb.conf

allow trusted domains = no

idmap uid = 10000-100000000
idmap gid = 10000-100000000

idmap config DOMAIN1:backend = rid
idmap config ICARUS:range = 10000 - 49999

idmap config DOMAIN2:backend = rid
idmap config DOMAIN2:range = 50000 - 99999

How do I make it pull the correct UID and GID from DOMAIN2?

This box Im using is FC5
rpm -qa | grep samba
samba-3.0.24-7.fc5
samba-common-3.0.24-7.fc5

Ive tried the same smb.conf on a CentOS5.1 box and can not get it to work.

ncsuapex · 11-14-2008, 12:46 PM

Ok so I found this piece of into in man samba_selinux.

SHARING FILES
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of
the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write.
So for samba you would execute:

setsebool -P allow_smbd_anon_write=1

Does this mean I HAVE to have selinux in order to share samba shares with 2 domains? OR that if I have selinux running I have to make this change in order for it to work?

ncsuapex · 12-09-2008, 12:07 PM

Ok I can now map a drive from my workstation on DOMAINA to a samba share on domainb. I have Domain Admin rights on DOMAINA, but I can not get a regular user to map a drive from DOMAINA to DOMAINB

following commands are run on a linux box on domainb:
cat /var/log/samba/log.wb-DOMAINA
[2008/12/09 12:55:47, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(152)
error getting user info for sid S-1-5-21-1831722044-48965883-1171747102-2687

if I do a:

wbinfo -n DOMAINA+testuser
S-1-5-21-1831722044-48965883-1171747102-2687 User (1)

so it sees the user on domaina from domainb but it wont authenticate.

nsswitch.conf on domainb
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins

ncsuapex · 12-11-2008, 09:02 AM

wbinfo -a domaina+username%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

wbinfo -a domaina\\username%password
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user domaina\username%password with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user domaina\username with challenge/response

my winbind separator in smb.conf is a +

When I try to map a drive from a workstation on DOMAINA why is it still failing? Im logged in as my own user, but I try to map a drive in XP through
MY COMPUTER
TOOLS
MAP NETWORK DRIVE
DRIVE V
\\host\share (located on domainb)
connect using a different name
domaina\username
password

why is it still failing?

I get this in the log.wb-DOMAINA

[2008/12/11 09:37:41, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(152)
error getting user info for sid S-1-5-21-1831722044-48965883-1171747102-2687

that sid matches the user when I do a
wbinfo -n DOMAINA+username
S-1-5-21-1831722044-48965883-1171747102-2687 User (1)

EDIT:

something else I just noticed. When I map a share from my own workstation as my ID I get the same error in log.wb-DOMAINA
[2008/12/11 10:10:16, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(152)
error getting user info for sid S-1-5-21-1831722044-48965883-1171747102-2632

wbinfo -n DOMAINA+myuser
S-1-5-21-1831722044-48965883-1171747102-2632 User (1)

my user does have an account on both domains as Domain Admin, the other user I was using only has an account on DOMAINA as a Domain User

if I do a :
wbinfo -n DOMAINB+myuser I get:
S-1-5-21-2549859046-590480753-776560528-1115 User (1)

if I do an: id myuser on a domainb linux box I get:

id myuser
uid=10012(mysuer)

which is wrong.. that should be uid=1115 according to the account properties on the DC for domainb

so it looks like the idmapping is wrong. This is what I have in smb.conf

allow trusted domains =Yes
rid

OMAINB=10000-100000000
idmap uid = 10000-100000000
idmap gid = 10000-100000000
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = No
winbind use default domain = Yes
winbind separator = +
template shell = /bin/bash
template homedir = /home/%U

whats going on?? Im very confused