[Samba] samba + kerberos + active directory with multiple domains

Tue Oct 29 12:24:25 MDT 2013

Richard,

See if the example for multiple domains as shown on this page is what 
you are looking for:

http://www.samba.org/samba/docs/man/manpages/idmap_rid.8.html

Dale

On 10/28/2013 11:21 AM, Winkel, Richard J. wrote:
> Could someone just send me a working config that works with multiple ad
> domains?  Anything would be helpful...
>
> Thanks!
> Rich
>
> On 10/26/13 1:32 PM, Winkel, Richard J. wrote:
>> I've almost got this thing working.  I have it set up on a centos machine to authenticate logins and automounts to windows file servers.  But it won't allow me to specify a domain as part of the userid.  I can set a default domain in smb.conf and logging into that domain works like a champ.  And I can list the other domains with "wbinfo --online-status" (not sure what "offline" means but I can list the groups even in the offline domains).  But if I turn off the default domain in smb.conf
>>           winbind use default domain = false
>> and specify a delimiter
>>           winbind separator = \
>> and try "wbinfo -a somedomain\\someuser" I get "no such user".  I assume the local /etc/passwd file has to include the domain\userid as well, correct?
No, idmap_rid does not use the local password file.
>>    But maybe wbinfo -a doesn't reference the local passwd file.
>> In any case, here are krb5.conf and smb.conf.   Can someone tell me what I'm missing?
>> Many thanks for any help!!!
>>
>>
>> ### /etc/krb5.conf ###
>>
>> [logging]
>>    default = FILE:/var/log/krb5libs.log
>>    kdc = FILE:/var/log/krb5kdc.log
>>    admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>>    default_realm = COL.MISSOURI.EDU
>>    dns_lookup_realm = false
>>    dns_lookup_kdc = false
>>    ticket_lifetime = 24h
>>    renew_lifetime = 7d
>>    forwardable = true
>>
>> [realms]
>>    COL.MISSOURI.EDU = {
>>     kdc = col.missouri.edu
>>     admin_server = col.missouri.edu
>>     default_domain = col.missouri.edu
>>     kdc = col.missouri.edu
>>    }
>>
>> [domain_realm]
>>    .missouri.edu = COL.MISSOURI.EDU
>>    missouri.edu = COL.MISSOURI.EDU
>>
>>    col.missouri.edu = COL.MISSOURI.EDU
>>    .col.missouri.edu = COL.MISSOURI.EDU
>>
>> [kdc]
>> profile= /var/kerberos/krb5kdc/kdc.conf
>>
>> [appdefaults]
>> pam = {
>>           debug=false
>>           ticket_lifetime=36000
>>           renew_lifetime=36000
>>           forwardable=true
>>           krb4_convert=false
>> }
>>
>> ### /etc/samba/smb.conf ###
>>
>> [global]
>>           workgroup = UMC-USERS
>>           password server = col.missouri.edu
>>           realm = COL.MISSOURI.EDU
>>           security = ADS
>>           allow trusted domains = yes
>>           idmap config *:backend = rid
>>           idmap config *:range = 1000-60000
>>           idmap uid = 60001-100000
>>           idmap gid = 60001-100000
>>           winbind use default domain = false
>>           winbind offline logon = true
>>           winbind separator = \
>>           netbios name = ZENA
>>           server string = Rouder Centos Samba Server Version %v
>>           interfaces = 128.206.38.63
>>           hosts allow = 128.206. 10.7.
>>           log file = /var/log/samba/log.%m
>>           max log size = 50
>>           preferred master = no
>>           encrypt passwords = yes
>>           log level 3
>>           local master = no
>>           preferred master = no
>>           dns proxy = no
>>           template shell = /bin/bash
>>           server string = Rouder Centos
>>           server signing = auto
>>           socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>
>>