# Layout of domainsCSCTRAIN.LOCAL -> (One-way forest trust) -> CSCTEST.LOCAL -

1. # Layout of domains
2. CSCTRAIN.LOCAL -> (One-way forest trust) -> CSCTEST.LOCAL -> ad-centos 6.7 client running Winbind Version 3.6.23-20.el6
3. When querying a user in the CSCTRAIN.LOCAL domain it seems that it cannot find the domain controller ad-server.csctrain.local in the Kerberos database
4.  
5. [root@ad-centos smb_krb5]# wbinfo -i csctrain.local\\jason-csctrain
6. failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
7. Could not get info for user csctrain.local\jason-csctrain
8. [root@ad-centos smb_krb5]#
9.  
10. Connected to LDAP server evw3300295.csctrain.local
11. time offset is -4 seconds
12. Found SASL mechanism GSS-SPNEGO
13. ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
14. ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
15. ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
16. ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
17. ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
18. ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore
19. ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
20. ads_krb5_mk_req: smb_krb5_get_credentials failed for ldap/ad-server.csctrain.local@CSCTRAIN.LOCAL (Server not found in Kerberos database)
21. kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database
22. ad_idmap_cached_connection_internal: failed to connect to AD
23. ADS uninitialized: Server not found in Kerberos database
24. Finished processing child request 59
25. Could not convert sid S-1-5-21-1756739036-3764305495-3557332716-1147: NT_STATUS_UNSUCCESSFUL
26.  
27. [root@ad-centos samba]# cat /etc/krb5.conf
28. [logging]
29. default = FILE:/var/log/krb5libs.log
30. kdc = FILE:/var/log/krb5kdc.log
31. admin_server = FILE:/var/log/kadmind.log
32.  
33. [libdefaults]
34. default_realm = CSCTEST.LOCAL
35. dns_lookup_realm = true
36. dns_lookup_kdc = true
37. ticket_lifetime = 24h
38. renew_lifetime = 7d
39. forwardable = true
40.  
41. [realms]
42. CSCTEST.LOCAL = {
43. kdc = ad-server.csctest.local
44. admin_server = ad-server.csctest.local
45. }
46. CSCTRAIN.LOCAL = {
47. kdc = ad-server.csctrain.local
48. }
49.  
50. [domain_realm]
51. csctest.local = CSCTEST.LOCAL
52. .csctest.local = CSCTEST.LOCAL
53. csctrain.local = CSCTRAIN.LOCAL
54. .csctrain.local = CSCTRAIN.LOCAL
55. [root@ad-centos samba]#
56.  
57. [root@ad-centos samba]# cat /etc/samba/smb.conf
58. [global]
59. workgroup = CSCTEST
60. password server = ad-server.csctest.local
61. realm = CSCTEST.LOCAL
62. security = ADS
63. template homedir = /home/%U
64. template shell = /bin/bash
65. # winbind use default domain = true
66. winbind offline logon = false
67.  
68. # Added by Jason
69. allow trusted domains = yes
70. # map untrusted to domain = yes
71. idmap config * : backend = tdb
72. idmap config * : range = 2000 - 9999
73. idmap config * : base_rid = 0
74. # idmap backend = tdb
75. # idmap uid = 2000 - 3000
76. # idmap gid = 2000 - 3000
77. idmap config CSCTEST : backend = ad
78. idmap config CSCTEST : range = 10000 - 20000
79. idmap config CSCTEST : schema_mode = rfc2307
80. idmap config CSCTRAIN : backend = ad
81. idmap config CSCTRAIN : range = 20000 - 30000
82. idmap config CSCTRAIN : schema_mode = rfc2307
83. winbind enum users = yes
84. winbind enum groups = yes
85. winbind nested groups = yes
86. # client use spnego = no
87. # End of Jason edits
88.  
89. server string = Samba Server Version %v
90. log level = 10
91. log file = /var/log/samba/log.%m
92. max log size = 50
93. passdb backend = tdbsam
94.  
95. [homes]
96. comment = Home Directories
97. browseable = no
98. writable = yes
99.  
100. [root@ad-centos samba]#