Samba authentication across AD forests
Hemanth Thummala
hemanth.thummala at gmail.com
Thu Jan 16 09:19:31 MST 2014
Hi Ivo van Geel,
There is no separate configuration is required in smb.conf. Just make sure
that forest trust is proper.
If your server is joined to Domain A, DomainB\users will get authenticated
with this trust.
But to access the shares you will need to assign the appropriate ACLs for
these remote trusted domain users.
Thanks,
Hemanth.
On Thu, Jan 16, 2014 at 7:14 PM, <Ivo.vanGeel at radboudumc.nl> wrote:
> Hello Hemanth,
>
>
>
> Could you please tell me how to configure this ?
>
>
>
>
>
> Kind regards,
>
>
>
> Ivo van Geel.
>
>
>
> *Van:* Hemanth Thummala [mailto:hemanth.thummala at gmail.com]
> *Verzonden:* donderdag 16 januari 2014 14:43
> *Aan:* Geel, Ivo van
> *CC:* samba-technical
> *Onderwerp:* Re: Samba authentication across AD forests
>
>
>
> Samba supports cross forest authentication.
>
> I have verified with both samba 3.6.6 and 3.6.12 stacks against win2k8R2
> domains.
>
>
>
> Thanks,
>
> Hemanth.
>
>
>
> On Thu, Jan 16, 2014 at 6:05 PM, <Ivo.vanGeel at radboudumc.nl> wrote:
>
> Hello all,
>
> I am currently trying to connect a Samba server (running on CentOS 6.5) to
> a Windows 2008R2 AD domain (domain A),
> which itself has a two-way transitive forrest-trust to another Windows
> 2008R2 AD domain (domain B).
>
> The Samba server is joined to domain A and should be able to authticate
> users in domain B.
>
> Is this currently possible using some version of either Samba3 or Samba4 ?
>
> The current Samba config file reads:
>
> [global]
> workgroup = RESEARCHTEST
> realm = RESEARCHTEST.UMCN.NL
> security = ads
> idmap config * : range = 10000000-20000000
> template shell = /sbin/nologin
> winbind use default domain = false
> winbind offline logon = false
> preferred master = no
> local master = no
> server string = UMC WP2 Samba Test 01
> encrypt passwords = yes
> log level = 3 auth:10 winbind:10 idmap:10
> log file = /var/log/samba/log.%m
> max log size = 50
> printing = bsd
> load printers = no
> disable spoolss = yes
> show add printer wizard = no
> winbind nested groups = yes
> # Configure writable TDB backend
> idmap config * : backend = tdb
> idmap config * : range = 10000000-20000000
> ## Configure read-only RESEARCHTEST and TESTUMCN AD backend
> idmap config RESEARCHTEST : backend = ad
> idmap config RESEARCHTEST : range = 100-9999999
> idmap config RESEARCHTEST : schema_mode = rfc2307
> idmap config TESTUMCN : backend = ad
> idmap config TESTUMCN : range = 2000-9999999
> idmap config TESTUMCN : schema_mode = rfc2307
> winbind nss info = rfc2307
> winbind expand groups = 2
> ldap ssl = off
>
> The Kerberos config file reads:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> [realms]
>
> [domain_realm]
>
> Thanks for your help
>
>
> Kind regards,
> Ivo van Geel.
>
>
> Het Radboudumc staat geregistreerd bij de Kamer van Koophandel in het
> handelsregister onder nummer 41055629.
> The Radboud university medical center is listed in the Commercial Register
> of the Chamber of Commerce under file number 41055629.
>
>
>
> Het Radboudumc staat geregistreerd bij de Kamer van Koophandel in het
> handelsregister onder nummer 41055629.
> The Radboud university medical center is listed in the Commercial Register
> of the Chamber of Commerce under file number 41055629.
>
More information about the samba-technical
mailing list