[Samba] Need help

Collins, Jeremy jeremy.collins at cgi.com
Fri Apr 29 15:09:23 UTC 2016

Good morning.

I need help getting Samba to work the way I would like it to work.

I have two AD domains (2012R2), DOM-A and DOM-B.  I have elected to not use any SFU or RFC2307 extensions as MS has depreciated those features.

DOM-A has a group, "sysadmins", which has users in it.
DOM-B trusts DOM-A.  DOM-B also has a group "trusted_sysadmins", the member of which is DOM-A\\sysadmins.

My host is to be a member of DOM-B.  I can join it to the domain just fine, and authentication works for both DOM-A and DOM-B accounts.  However winbind is not producing any group information for DOM-A accounts other than "DOM-A\\Domain Users".  I do need the host to see DOM-A memberships as I intend to use sshd AllowGroups to restrict who can log into the host.  If the host could see that users were (or were not) members of DOM-B\\trusted_sysadmins that would also work; basically if "id" can tell the userid is a member of either group, I can shove it in sshd_config AllowGroups and get the effect I want.

Larger picture:
This is all going into kickstart, with the goal that a newly kickstarted host will be automatically joined to DOM-B, and the sysadmin team in DOM-A will be the only group allowed to login (initially).

My current target is RHEL7, although this will also be applied to new RHEL5 and RHEL6, as well as existing populations of RHEL5 and RHEL6.  Samba major versions will be 3 and 4.  Minor and patch versions will vary for many reasons.

I've been googling furiously for some time now.  I've found numerous threads here and there that seem to describe a similar situation, but the threads always end without an answer.

Current smb.conf globals:
log file = /var/log/samba/%m.log
log level = 10
max log size = 0
workgroup = DOM-B
#password server = dombdc01.domb.dom
realm = DOMB.DOM
security = ads
template shell = /bin/bash
template homedir = /home/%U
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes
winbind use default domain = false
winbind offline logon = false
winbind separator = +
winbind cache time = 15
winbind expand groups = 1
idmap config * : range = 100000-9999999
idmap config * : rangesize = 1000000
idmap config * : backend = autorid

Thanks in advance for any advice,
Jeremy Collins

More information about the samba mailing list