Samba authentication across AD forests

Hemanth Thummala hemanth.thummala at gmail.com
Thu Jan 16 06:42:53 MST 2014


Samba supports cross forest authentication.
I have verified with both samba 3.6.6 and 3.6.12 stacks against win2k8R2
domains.

Thanks,
Hemanth.


On Thu, Jan 16, 2014 at 6:05 PM, <Ivo.vanGeel at radboudumc.nl> wrote:

> Hello all,
>
> I am currently trying to connect a Samba server (running on CentOS 6.5) to
> a Windows 2008R2 AD domain (domain A),
> which itself has a two-way transitive forrest-trust to another Windows
> 2008R2 AD domain (domain B).
>
> The Samba server is joined to domain A and should be able to authticate
> users in domain B.
>
> Is this currently possible using some version of either Samba3 or Samba4 ?
>
> The current Samba config file reads:
>
> [global]
> workgroup = RESEARCHTEST
> realm = RESEARCHTEST.UMCN.NL
>        security = ads
> idmap config * : range = 10000000-20000000
> template shell = /sbin/nologin
> winbind use default domain = false
>        winbind offline logon = false
>         preferred master = no
>         local master = no
>         server string = UMC WP2 Samba Test 01
>         encrypt passwords = yes
>         log level = 3 auth:10 winbind:10 idmap:10
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         printing = bsd
>         load printers = no
>         disable spoolss = yes
>         show add printer wizard = no
>         winbind nested groups = yes
> # Configure writable TDB backend
>         idmap config * : backend = tdb
>         idmap config * : range = 10000000-20000000
> ## Configure read-only RESEARCHTEST and TESTUMCN AD backend
>         idmap config RESEARCHTEST : backend = ad
>         idmap config RESEARCHTEST : range = 100-9999999
>         idmap config RESEARCHTEST : schema_mode = rfc2307
>         idmap config TESTUMCN : backend = ad
>         idmap config TESTUMCN : range = 2000-9999999
>         idmap config TESTUMCN : schema_mode = rfc2307
>        winbind nss info = rfc2307
>         winbind expand groups = 2
>         ldap ssl = off
>
> The Kerberos config file reads:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
>
> [appdefaults]
> pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
> }
>
> [realms]
>
> [domain_realm]
>
> Thanks for your help
>
>
> Kind regards,
> Ivo van Geel.
>
>
> Het Radboudumc staat geregistreerd bij de Kamer van Koophandel in het
> handelsregister onder nummer 41055629.
> The Radboud university medical center is listed in the Commercial Register
> of the Chamber of Commerce under file number 41055629.
>
>


More information about the samba-technical mailing list