[Samba] getting winbind to work for authenticating 2 different domains - trusted

Steven Schlegel steven.schlegel1988 at googlemail.com
Mon Feb 21 08:48:51 MST 2011

Hello guys,

I got a few questions about winbind / samba and multi domain
At my company we have to different domains.


My smb.conf is attached (global section only).

My linux server (rhel 5.4 x64) is configured with the security mode "ads"
and has been joined to the DOMAIN-A
via "net ads join DOMAIN-A -U administrator"

I can see the users and groups for DOMAIN-A and DOMAIN-B (with wbinfo -u /
wbinfo -g), even with "getent passwd"
and "getent group".

If I initiate the following command, only the list of users for DOMAIN-A
is successfull, users for DOMAIN-B alway fail:
id DOMAIN-A+schlegels -> successful
id DOMAIN-B+schlegels -> No such user

Can you please help me with this issue?
I spend more than a week with reading documentation about that, but I
can't figure out the problem.

Samba-Version (also required packages): 3.4.9

smb.conf (global section):
 workgroup = DOMAIN-A
 realm = DOMAIN-A.LCL
 password server = dchh01.domain-a.lcl
 preferred master = no
 server string = Linux Test Server
 security = ads
 encrypt passwords = yes
 local master = no
 log level = 3
 log file = /var/log/samba/%m
 max log size = 50
 winbind enum users = Yes
 winbind enum groups = Yes
 ##winbind use default domain = Yes
 winbind nested groups = Yes
 #winbind separator = \\
 winbind separator = +
 winbind refresh tickets = yes
 #winbind offline logon = false
 winbind offline logon = true
 winbind trusted domains only = no
 map untrusted to domain = Yes
 allow trusted domains = yes
 #obey pam restrictions = yes
 obey pam restrictions = no
 idmap uid = 1000-60000
 idmap gid = 1000-60000
 idmap config DOMAIN-A : backend = rid
 idmap config DOMAIN-A : range = 1000-30000
 idmap config DOMAIN-B : backend = rid
 idmap config DOMAIN-B : range = 31000-60000
 passdb backend = tdbsam
 ;template primary group = "domain users"
 template shell = /bin/bash
 winbind nss info = rfc2307
 client use spnego = yes
 client ntlmv2 auth = yes
 restrict anonymous = 2

Thanks in advance!

With best regards
Steven Schlegel

More information about the samba mailing list