[Samba] winbind and one way trust - is it even possible?

Jiri 'Ghormoon' Novak ghormoon at ghorland.net
Thu Oct 13 15:36:22 UTC 2016


is it currently possible in 4.2 or 4.4 to accept one way trust between
domains? I've found some old discussions this should be somehow possible
since 3.2, but I'm out of luck to get anything moving.

The setup is that there's domain A, where I have few users and I join
the servers there (Windows AD) and one way trust to B (windows AD), so
B\user can login into machines in A (this works on windows).
Now I'm trying to join in linux (centos) server to behave in the same way.

My best result was with winbind, A\user can login correctly, I can su -
B\user, after timeout it succeeds and creates home (from root), but
logging in as B\user fails over ssh (no matter if the password is
correct or wring, I get timeout).
su - B\nonexistent_user fails immediately, so it obviously can check if
the user exists, but not the password.
Any hints where to start? is this evenpossible?

Listing wbinfo -u --all-domains shows A\someusers, A, B (and some other
things), but no B\user (I have no idea how it knows if user exists then
though). Same for groups, I see only the domain, but no groups.
I have both domains listed in krb5.conf

Thanks in advance,

More information about the samba mailing list