[Samba] Samba4 problem with Wndows Domain Trust

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Dec 20 19:16:39 UTC 2016


Does "wbinfo -u" show DOMAIN_B users?

Do the following commands work


     wbinfo -n DOMAIN_B+someuser
     wbinfo -i DOMAIN_B+someuser
     wbinfo --allocate-uid


Did you try using ad backend for domain_B and statically allocating uid 
and gid numbes  in active directory ?


You might want to try setting
     winbind rpc only = Yes

(which would point to an issue with LDAP.)


On 12/20/16 13:23, Josef Wölfle via samba wrote:
> Hi Gaiseric,
>
> I have tried that, also in different variations. But the users and 
> groups of DOMAIN_B keep invisible.
>
> Below the smb.conf in the meantime state.
>
> By the way: kinit works with both, users aof DOM_A and Users of DOM_B.
>
> [global]
>
> workgroup = DOM_A
>
>         server string = Samba %v
>
>         log file = /var/log/samba/log.%m
>
>         max log size = 50
>
>         password server = *
>
>         realm = INTRA.DOMAIN-A.DE
>
>         security = ads
>
>         server signing = auto
>
>         encrypt passwords = yes
>
>         kerberos method = secrets and keytab
>
>         dedicated keytab file = /etc/krb5.keytab
>
>         idmap config * : backend  = tdb
>
>         idmap config * : range =  5000-6000
>
>         idmap config intra.domain-a.de : backend  = ad
>
>         idmap config intra.domain-a.de : range = 1000-1999
>
>         idmap config intra.domain-b.de  : backend  = tdb
>
>         idmap config intra.domain-b.de: range = 4000-4999
>
>         # idmap config * : range = 1000000-1999999
>
>         winbind separator = +
>
>         template homedir = /home/%U
>
>         winbind use default domain = false
>
>         winbind offline logon = false
>
>         server string = linuxserver1
>
>         netbios name = linuxserver1
>
>         winbind enum users = yes
>
>         winbind enum groups = yes
>
>         winbind nested groups = yes
>
>         client max protocol = LANMAN1
>
>         client use spnego = yes
>
>         #client ldap sasl wrapping = plain
>
>         #ldap server require strong auth = yes
>
>         kccsrv:samba_kcc = no
>
>         ntlm auth = yes
>
>         smb2 leases = no
>
>         allow trusted domains = yes
>
>         vfs objects = acl_xattr
>
>         map acl inherit = yes
>
>         store dos attributes = yes
>
>         template shell = /bin/bash
>




More information about the samba mailing list