[Samba] Trusted domain users unwantedly mapping onto local domain users

Bruce Richardson itsbruce at workshy.org
Thu Oct 21 09:59:59 MDT 2010

Having set up two way trust between a Samba domain (with LDAP backend)
and an AD domain, I find that 
 1. Users from the trusted domain are authenticated against the proper
DC (that is, their regular password works), but only if there is a
corresponding local domain user.

 2.  Users from the trusted domain are being mapped onto Samba/POSIX
users associated with the local Samba domain, despite the fact that the
correct idmap objects are being created in the directory.   If they
connect to a share, they connect as the local domain user (although,
oddly, they can create new files and directories but not delete old

More information:

The local domain uses an LDAP backend, with ldapsam:editposix and
ldapsam:trusted set.  LDAP is used for all domain configs (BUILTIN,
OFFICE domain and external domains).  Winbind is used on the domain
controllers for GID/UID allocation (and for id mappings for foreign
domains), but nss_ldap is used on all the servers, DC or member, to
provide the POSIX user information via nsswitch.conf.  winbind is not
currently running on the member servers (not needed for a single domain
because of nss_ldap).

All this was working perfectly.  Adding the domain trust worked
flawlessly.  Then I tried - on the PDC  and BDC only - to try have users
from the trusted domain connecting to shares.  So I changed
nsswitch.conf from

  passwd: files ldap
  group: files ldap


  passwd: files ldap winbind
  group: files ldap winbind

I added details of the AD domain's PDC to krb5.conf, set the auth user
file and restarted winbindd for luck.

 * "wbinfo -u" and "wbinfo -g" list the trusted domain users and groups.
 * "getent passwd" returns the trusted users in the list as
 * The idmap OU in the directory now has two dozen
   entries (the AD domain is only used for one specialist part of the

So far so good.  "getent group" and "getent passwd" shows the TRUSTED
domain users have been added and are visible as POSIX users.  TRUSTED
userr can authenticate to any OFFICE member servers using their own
passwords (with the important caveat mentioned abouve).  At this point,
I'm at something of a loss.  I can ssh into the domain controller as
TRUSTED\test.user, whether or not there is a corresponding user in the
local domain, and the correct UID and GID will be assigned, but I can
only connect to Samba as that user if there is a corresponding local
domain user and I am then assigned their UID and GID.

Can anybody suggest what I may have missed?  I can post the relevant
domain controller configs.

I don't know if it's relevant to this, but winbind keeps trying to write
to krb5.conf and being blocked by selinux.  Haven't had time to
investigate that.


I unfortunately do not know how to turn cheese into gold.

More information about the samba mailing list