[Samba] getting winbind to work for authenticating 2 different domains - trusted

s.schlegel at eos-it-services.com s.schlegel at eos-it-services.com
Mon Feb 14 04:17:43 MST 2011 

Hello guys,

I got a few questions about winbind / samba and multi domain 
authentication.
At my company we have to different domains.

DOMAIN-A and DOMAIN-B

My smb.conf is attached (global section only).

My linux server (rhel 5.4 x64) is configured with the security mode "ads" 
and has been joined to the DOMAIN-A
via "net ads join DOMAIN-A -U administrator"

I can see the users and groups for DOMAIN-A and DOMAIN-B (with wbinfo -u / 
wbinfo -g), even with "getent passwd" 
and "getent group".

If I initiate the following command, only the list of users for DOMAIN-A 
is successfull, users for DOMAIN-B alway fail:
id DOMAIN-A+schlegels -> successful
id DOMAIN-B+schlegels -> No such user

Can you please help me with this issue?
I spend more than a week with reading documentation about that, but I 
can't figure out the problem.

Samba-Version (also required packages): 3.4.9

smb.conf (global section):
[global]
  workgroup = DOMAIN-A
  realm = DOMAIN-A.LCL
  password server = dchh01.domain-a.lcl
  preferred master = no
  server string = Linux Test Server
  security = ads
  encrypt passwords = yes
  local master = no
  log level = 3
  log file = /var/log/samba/%m
  max log size = 50
  winbind enum users = Yes
  winbind enum groups = Yes
  ##winbind use default domain = Yes
  winbind nested groups = Yes
  #winbind separator = \\
  winbind separator = +
  winbind refresh tickets = yes
  #winbind offline logon = false
  winbind offline logon = true
  winbind trusted domains only = no
  map untrusted to domain = Yes
  allow trusted domains = yes
  #obey pam restrictions = yes
  obey pam restrictions = no
  idmap uid = 1000-60000
  idmap gid = 1000-60000
  idmap config DOMAIN-A : backend = rid
  idmap config DOMAIN-A : range = 1000-30000
  idmap config DOMAIN-B : backend = rid
  idmap config DOMAIN-B : range = 31000-60000
  passdb backend = tdbsam
  ;template primary group = "domain users"
  template shell = /bin/bash
  winbind nss info = rfc2307
  client use spnego = yes
  client ntlmv2 auth = yes
  restrict anonymous = 2


Thanks in advance!

With best regards
Steven Schlegel | EO-IT-NW
 
Tel: +49 (0)40 2850-1830 | s.schlegel at eos-it-services.com
Fax: +49 (0) 40 2850-51830 | http://www.eos-it-services.com

EOS. With head and heart in finance

EOS IT Services GmbH | Steindamm 71, 20099 Hamburg | AG Hamburg HRB 65 213
Geschäftsführer | Dr. Roger Nolting, Hans-Joachim Tautz, Gunnar Woitack

Save a tree. Don't print this email unless it's really necessary.

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte 
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail 
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und 
vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte 
Weitergabe dieser Mail ist nicht gestattet.

This email may contain confidential and/or privileged information.
If you are not the intended recipient or have received this email in 
error, please notify the sender immediately and destroy this email.
Any unauthorized copying, disclosure or distribution of the material in 
this email is strictly forbidden.

More information about the samba mailing list