[Samba] Winbind with krb5auth for trust users

Andreas Hauffe andreas.hauffe at tu-dresden.de
Tue Aug 22 15:18:59 UTC 2017 

Hi,

the external trust, we have, is a one directional external trust. So 
users of the trusted dom can logon on local dom clients, but not the 
other way around. In case of "wbinfo -a" all communication is between 
the client and the domain controller of the local domain, which is the 
proxy for the auth process. In case of "wbinfo -K" all communication is 
between the client and a trusted domain controller and the client do not 
have any rights/credentials there. Perhaps, that's way I'm getting a

No logon servers Could not authenticate user [GLOBALDOM\globdomuser] 
with Kerberos

error message.

Regards,
Andreas

Am 22.08.2017 um 14:30 schrieb Andreas Hauffe via samba:
> Hi,
>
> I already added the two lines in smb.conf for my last test.
>
> Andreas
>
> [global]
>        security = ADS
>        workgroup = LOC
>        realm = LOC.EXAMPLE.COM
>        dedicated keytab file = /etc/krb5.keytab
>        kerberos method = secrets and keytab
>
>        log file = /var/log/samba/%m.log
>        log level = 1
>
>        template homedir = /home/%D/%U
>        template shell = /bin/bash
>
>        # Default ID mapping configuration for local BUILTIN accounts
>        # and groups on a domain member. The default (*) domain:
>        # - must not overlap with any domain ID mapping configuration!
>        # - must use a read-write-enabled back end, such as tdb.
>        # - Adding just this is not enough
>        # - You must set a DOMAIN backend configuration, see below
>        idmap config * : backend = tdb
>        idmap config * : range = 3000-9999
>        idmap config LOC : backend = rid
>        idmap config LOC : range = 1000000-2000000
>        idmap config GLOB : backend = rid
>        idmap config GLOB : range = 3000000-4000000
>
>
> Am 22.08.2017 um 14:10 schrieb Rowland Penny via samba:
>> On Tue, 22 Aug 2017 13:51:24 +0200
>> Andreas Hauffe via samba <samba at lists.samba.org> wrote:
>>
>>> Hi,
>>>
>>> sorry for not reading the comment above idmap config. I uninstalled
>>> and reinstalled samba and configs to remove all old id mappings and
>>> so on. Then changed all configs as adviced. The id mapping is working
>>> correctly (wbinfo -i) for local and trusted domain. But I still
>>> cannot logon with wbinfo -K with a trusted domain account.
>>>
>> You will probably need a couple more lines in smb.conf:
>>
>>            idmap config OTHERDOM : backend = rid
>>            idmap config OTHERDOM : range = 2000001-3000000
>>
>> Rowland
>>
>
>
>

More information about the samba mailing list