Samba authentication across AD forests

Ivo.vanGeel at radboudumc.nl Ivo.vanGeel at radboudumc.nl
Thu Jan 16 05:35:20 MST 2014 

Hello all,

I am currently trying to connect a Samba server (running on CentOS 6.5) to a Windows 2008R2 AD domain (domain A),
which itself has a two-way transitive forrest-trust to another Windows 2008R2 AD domain (domain B).

The Samba server is joined to domain A and should be able to authticate users in domain B.

Is this currently possible using some version of either Samba3 or Samba4 ?

The current Samba config file reads:

[global]
workgroup = RESEARCHTEST
realm = RESEARCHTEST.UMCN.NL
       security = ads
idmap config * : range = 10000000-20000000
template shell = /sbin/nologin
winbind use default domain = false
       winbind offline logon = false
        preferred master = no
        local master = no
        server string = UMC WP2 Samba Test 01
        encrypt passwords = yes
        log level = 3 auth:10 winbind:10 idmap:10
        log file = /var/log/samba/log.%m
        max log size = 50
        printing = bsd
        load printers = no
        disable spoolss = yes
        show add printer wizard = no
        winbind nested groups = yes
# Configure writable TDB backend
        idmap config * : backend = tdb
        idmap config * : range = 10000000-20000000
## Configure read-only RESEARCHTEST and TESTUMCN AD backend
        idmap config RESEARCHTEST : backend = ad
        idmap config RESEARCHTEST : range = 100-9999999
        idmap config RESEARCHTEST : schema_mode = rfc2307
        idmap config TESTUMCN : backend = ad
        idmap config TESTUMCN : range = 2000-9999999
        idmap config TESTUMCN : schema_mode = rfc2307
       winbind nss info = rfc2307
        winbind expand groups = 2
        ldap ssl = off

The Kerberos config file reads:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

[realms]

[domain_realm]

Thanks for your help


Kind regards,
Ivo van Geel.


Het Radboudumc staat geregistreerd bij de Kamer van Koophandel in het handelsregister onder nummer 41055629.
The Radboud university medical center is listed in the Commercial Register of the Chamber of Commerce under file number 41055629.

More information about the samba-technical mailing list