[Samba] getting winbind to work for authenticating 2 different domains - trusted
s.schlegel at eos-it-services.com
s.schlegel at eos-it-services.com
Mon Feb 14 04:17:43 MST 2011
Hello guys,
I got a few questions about winbind / samba and multi domain
authentication.
At my company we have to different domains.
DOMAIN-A and DOMAIN-B
My smb.conf is attached (global section only).
My linux server (rhel 5.4 x64) is configured with the security mode "ads"
and has been joined to the DOMAIN-A
via "net ads join DOMAIN-A -U administrator"
I can see the users and groups for DOMAIN-A and DOMAIN-B (with wbinfo -u /
wbinfo -g), even with "getent passwd"
and "getent group".
If I initiate the following command, only the list of users for DOMAIN-A
is successfull, users for DOMAIN-B alway fail:
id DOMAIN-A+schlegels -> successful
id DOMAIN-B+schlegels -> No such user
Can you please help me with this issue?
I spend more than a week with reading documentation about that, but I
can't figure out the problem.
Samba-Version (also required packages): 3.4.9
smb.conf (global section):
[global]
workgroup = DOMAIN-A
realm = DOMAIN-A.LCL
password server = dchh01.domain-a.lcl
preferred master = no
server string = Linux Test Server
security = ads
encrypt passwords = yes
local master = no
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind enum users = Yes
winbind enum groups = Yes
##winbind use default domain = Yes
winbind nested groups = Yes
#winbind separator = \\
winbind separator = +
winbind refresh tickets = yes
#winbind offline logon = false
winbind offline logon = true
winbind trusted domains only = no
map untrusted to domain = Yes
allow trusted domains = yes
#obey pam restrictions = yes
obey pam restrictions = no
idmap uid = 1000-60000
idmap gid = 1000-60000
idmap config DOMAIN-A : backend = rid
idmap config DOMAIN-A : range = 1000-30000
idmap config DOMAIN-B : backend = rid
idmap config DOMAIN-B : range = 31000-60000
passdb backend = tdbsam
;template primary group = "domain users"
template shell = /bin/bash
winbind nss info = rfc2307
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
Thanks in advance!
With best regards
Steven Schlegel | EO-IT-NW
Tel: +49 (0)40 2850-1830 | s.schlegel at eos-it-services.com
Fax: +49 (0) 40 2850-51830 | http://www.eos-it-services.com
EOS. With head and heart in finance
EOS IT Services GmbH | Steindamm 71, 20099 Hamburg | AG Hamburg HRB 65 213
Geschäftsführer | Dr. Roger Nolting, Hans-Joachim Tautz, Gunnar Woitack
Save a tree. Don't print this email unless it's really necessary.
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet.
This email may contain confidential and/or privileged information.
If you are not the intended recipient or have received this email in
error, please notify the sender immediately and destroy this email.
Any unauthorized copying, disclosure or distribution of the material in
this email is strictly forbidden.
More information about the samba
mailing list