[Samba] getting winbind to work for authenticating 2 different domains - trusted
steven.schlegel1988 at googlemail.com
Mon Feb 21 08:48:51 MST 2011
I got a few questions about winbind / samba and multi domain
At my company we have to different domains.
DOMAIN-A and DOMAIN-B
My smb.conf is attached (global section only).
My linux server (rhel 5.4 x64) is configured with the security mode "ads"
and has been joined to the DOMAIN-A
via "net ads join DOMAIN-A -U administrator"
I can see the users and groups for DOMAIN-A and DOMAIN-B (with wbinfo -u /
wbinfo -g), even with "getent passwd"
and "getent group".
If I initiate the following command, only the list of users for DOMAIN-A
is successfull, users for DOMAIN-B alway fail:
id DOMAIN-A+schlegels -> successful
id DOMAIN-B+schlegels -> No such user
Can you please help me with this issue?
I spend more than a week with reading documentation about that, but I
can't figure out the problem.
Samba-Version (also required packages): 3.4.9
smb.conf (global section):
workgroup = DOMAIN-A
realm = DOMAIN-A.LCL
password server = dchh01.domain-a.lcl
preferred master = no
server string = Linux Test Server
security = ads
encrypt passwords = yes
local master = no
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind enum users = Yes
winbind enum groups = Yes
##winbind use default domain = Yes
winbind nested groups = Yes
#winbind separator = \\
winbind separator = +
winbind refresh tickets = yes
#winbind offline logon = false
winbind offline logon = true
winbind trusted domains only = no
map untrusted to domain = Yes
allow trusted domains = yes
#obey pam restrictions = yes
obey pam restrictions = no
idmap uid = 1000-60000
idmap gid = 1000-60000
idmap config DOMAIN-A : backend = rid
idmap config DOMAIN-A : range = 1000-30000
idmap config DOMAIN-B : backend = rid
idmap config DOMAIN-B : range = 31000-60000
passdb backend = tdbsam
;template primary group = "domain users"
template shell = /bin/bash
winbind nss info = rfc2307
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
Thanks in advance!
With best regards
More information about the samba