[Samba] getting winbind to work for authenticating 2 different domains - trusted

Steven Schlegel steven.schlegel1988 at googlemail.com
Mon Feb 21 08:48:51 MST 2011 

Hello guys,

I got a few questions about winbind / samba and multi domain
authentication.
At my company we have to different domains.

DOMAIN-A and DOMAIN-B

My smb.conf is attached (global section only).

My linux server (rhel 5.4 x64) is configured with the security mode "ads"
and has been joined to the DOMAIN-A
via "net ads join DOMAIN-A -U administrator"

I can see the users and groups for DOMAIN-A and DOMAIN-B (with wbinfo -u /
wbinfo -g), even with "getent passwd"
and "getent group".

If I initiate the following command, only the list of users for DOMAIN-A
is successfull, users for DOMAIN-B alway fail:
id DOMAIN-A+schlegels -> successful
id DOMAIN-B+schlegels -> No such user

Can you please help me with this issue?
I spend more than a week with reading documentation about that, but I
can't figure out the problem.

Samba-Version (also required packages): 3.4.9

smb.conf (global section):
[global]
 workgroup = DOMAIN-A
 realm = DOMAIN-A.LCL
 password server = dchh01.domain-a.lcl
 preferred master = no
 server string = Linux Test Server
 security = ads
 encrypt passwords = yes
 local master = no
 log level = 3
 log file = /var/log/samba/%m
 max log size = 50
 winbind enum users = Yes
 winbind enum groups = Yes
 ##winbind use default domain = Yes
 winbind nested groups = Yes
 #winbind separator = \\
 winbind separator = +
 winbind refresh tickets = yes
 #winbind offline logon = false
 winbind offline logon = true
 winbind trusted domains only = no
 map untrusted to domain = Yes
 allow trusted domains = yes
 #obey pam restrictions = yes
 obey pam restrictions = no
 idmap uid = 1000-60000
 idmap gid = 1000-60000
 idmap config DOMAIN-A : backend = rid
 idmap config DOMAIN-A : range = 1000-30000
 idmap config DOMAIN-B : backend = rid
 idmap config DOMAIN-B : range = 31000-60000
 passdb backend = tdbsam
 ;template primary group = "domain users"
 template shell = /bin/bash
 winbind nss info = rfc2307
 client use spnego = yes
 client ntlmv2 auth = yes
 restrict anonymous = 2


Thanks in advance!

With best regards
Steven Schlegel

More information about the samba mailing list