[Samba] Samba with clients in multiple domains

Denis Cardon denis.cardon at tranquil-it-systems.fr
Fri Feb 10 08:55:12 MST 2012

Hi Robin,

> I've not got a good starting point I'm afraid, but I was forced to deploy Samba under pressure of failing hardware so an urgent migration was done. We didn't get the IBM AIX 6.1 supplied one running at all, so we pulled down the samba.org version 3.4.3. We couldn't get that working as we wished, but it did at least share. It has been merrily allowing any request to mount (read-only) the shares. All was well with the function, but obviously it is not appropriate for the sensitive data was are sharing. The setting I had to put in was security=SHARE and on each share, we have guest login allowed.
> My problem is that our clients are in at least two domains and the server is standalone, i.e. no LDAP or whatever connection set up on the operating system in /etc/netsrv.conf or anything. We are an outsourcing company so we have our servers&  users and the client company users all wanting to access the data.
> I've tried reading the manual pages, but I have to understand much more about security and protocols than I do to get my foot in the door, so to speak. The more I try to find out, the more confused I get.  What I have tried has always prevented any access. Great for security, but useless for actually operating the business.
> It has been parked for quite a while now especially as the failing hardware also allowed guest connections so I had nothing to compare to. I've now forgotten what attempts I have made, but now Internal Audit are on my case to lock it down. Can anyone point me in the right direction? I would prefer to grant access to an Active Directory group of users if that is possible, but then it needs to validate the user on more than one domain......um?
> My head hurts already.
> Full config (slightly sanitised) can be posted if this is useful, but I didn't want to flood the thread first off.

documentation on the web is fine for configuring kerberos/smb/winbind 
for one domain, but I also found it hard to getthe sid/uid mapping right 
in a multiple domain environment. Idmap has changed so many times since 
smb 3.0 that it is hard to know which doc is fine... I hope the 3.6 way 
will be the definitive one :-)

Here is a smb.conf that I is working fine with two domain. servera is 
joined to AD kerberos DOMA.LOCAL. There is interdomain trust with 
         security = ads
         realm = DOMA.LOCAL
         password server =
         workgroup = DOMA
         winbind separator = +

         idmap backend = tdb
         idmap uid = 1000000-1999999
         idmap gid = 1000000-1999999
         idmap config DOMA : backend     = rid
         idmap config DOMA : range       = 10000 - 49999

         idmap config DOMB : backend  = rid
         idmap config DOMB : range    = 50000 - 99999

         winbind enum users = yes
         winbind enum groups = yes
         template homedir = /home/%D/%U
         template shell = /bin/bash
         client use spnego = yes
         client ntlmv2 auth = yes
         encrypt passwords = yes
         winbind use default domain = yes
         restrict anonymous = 2
         wins server =

         printcap name = /etc/printcap
         load printers = no

         path = /home/myshare
         guest ok= no
         write list= @"group1" @"DOMB+group2"
         writeable = yes
         force create mode = 0770

Hope this helps,

Denis Cardon

> Robin
> Liverpool/Blackburn
> UK
> Diligenta Limited (No. 5535029) is a subsidiary of Tata Consultancy Services Limited. Diligenta 2 Limited (No. 4087012) is a subsidiary of Diligenta Limited.
> Both companies are registered in England and have their registered office at Lynch Wood, Peterborough, PE2 6FY and are authorised and regulated by the Financial Services Authority.
> The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee and access to this e-mail by anyone else is unauthorised. Although this message and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Diligenta Limited or Diligenta 2 Limited for any loss or damage in any way arising from its use. Any views or opinions presented are solely those of the author and do not necessarily represent those of Diligenta Limited or Diligenta 2 Limited. Replies to this e-mail may be monitored for operational or business reasons.

Denis Cardon
Tranquil IT Systems
44 bvd des pas enchantés
44230 Saint Sébastien sur Loire
tel : +33 (0)

More information about the samba mailing list