Samba authentication across AD forests

Ivo.vanGeel at radboudumc.nl Ivo.vanGeel at radboudumc.nl
Thu Jan 16 06:44:31 MST 2014 

Hello Hemanth,

Could you please tell me how to configure this ?


Kind regards,

Ivo van Geel.

Van: Hemanth Thummala [mailto:hemanth.thummala at gmail.com]
Verzonden: donderdag 16 januari 2014 14:43
Aan: Geel, Ivo van
CC: samba-technical
Onderwerp: Re: Samba authentication across AD forests

Samba supports cross forest authentication.
I have verified with both samba 3.6.6 and 3.6.12 stacks against win2k8R2 domains.

Thanks,
Hemanth.

On Thu, Jan 16, 2014 at 6:05 PM, <Ivo.vanGeel at radboudumc.nl<mailto:Ivo.vanGeel at radboudumc.nl>> wrote:
Hello all,

I am currently trying to connect a Samba server (running on CentOS 6.5) to a Windows 2008R2 AD domain (domain A),
which itself has a two-way transitive forrest-trust to another Windows 2008R2 AD domain (domain B).

The Samba server is joined to domain A and should be able to authticate users in domain B.

Is this currently possible using some version of either Samba3 or Samba4 ?

The current Samba config file reads:

[global]
workgroup = RESEARCHTEST
realm = RESEARCHTEST.UMCN.NL<http://RESEARCHTEST.UMCN.NL>
       security = ads
idmap config * : range = 10000000-20000000
template shell = /sbin/nologin
winbind use default domain = false
       winbind offline logon = false
        preferred master = no
        local master = no
        server string = UMC WP2 Samba Test 01
        encrypt passwords = yes
        log level = 3 auth:10 winbind:10 idmap:10
        log file = /var/log/samba/log.%m
        max log size = 50
        printing = bsd
        load printers = no
        disable spoolss = yes
        show add printer wizard = no
        winbind nested groups = yes
# Configure writable TDB backend
        idmap config * : backend = tdb
        idmap config * : range = 10000000-20000000
## Configure read-only RESEARCHTEST and TESTUMCN AD backend
        idmap config RESEARCHTEST : backend = ad
        idmap config RESEARCHTEST : range = 100-9999999
        idmap config RESEARCHTEST : schema_mode = rfc2307
        idmap config TESTUMCN : backend = ad
        idmap config TESTUMCN : range = 2000-9999999
        idmap config TESTUMCN : schema_mode = rfc2307
       winbind nss info = rfc2307
        winbind expand groups = 2
        ldap ssl = off

The Kerberos config file reads:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

[realms]

[domain_realm]

Thanks for your help


Kind regards,
Ivo van Geel.


Het Radboudumc staat geregistreerd bij de Kamer van Koophandel in het handelsregister onder nummer 41055629.
The Radboud university medical center is listed in the Commercial Register of the Chamber of Commerce under file number 41055629.



Het Radboudumc staat geregistreerd bij de Kamer van Koophandel in het handelsregister onder nummer 41055629.
The Radboud university medical center is listed in the Commercial Register of the Chamber of Commerce under file number 41055629.

More information about the samba-technical mailing list