[Samba] Winbind with krb5auth for trust users

Andreas Hauffe andreas.hauffe at tu-dresden.de
Tue Aug 22 12:30:44 UTC 2017


Hi,

I already added the two lines in smb.conf for my last test.

Andreas

[global]
        security = ADS
        workgroup = LOC
        realm = LOC.EXAMPLE.COM
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab

        log file = /var/log/samba/%m.log
        log level = 1

        template homedir = /home/%D/%U
        template shell = /bin/bash

        # Default ID mapping configuration for local BUILTIN accounts
        # and groups on a domain member. The default (*) domain:
        # - must not overlap with any domain ID mapping configuration!
        # - must use a read-write-enabled back end, such as tdb.
        # - Adding just this is not enough
        # - You must set a DOMAIN backend configuration, see below
        idmap config * : backend = tdb
        idmap config * : range = 3000-9999
        idmap config LOC : backend = rid
        idmap config LOC : range = 1000000-2000000
        idmap config GLOB : backend = rid
        idmap config GLOB : range = 3000000-4000000


Am 22.08.2017 um 14:10 schrieb Rowland Penny via samba:
> On Tue, 22 Aug 2017 13:51:24 +0200
> Andreas Hauffe via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> sorry for not reading the comment above idmap config. I uninstalled
>> and reinstalled samba and configs to remove all old id mappings and
>> so on. Then changed all configs as adviced. The id mapping is working
>> correctly (wbinfo -i) for local and trusted domain. But I still
>> cannot logon with wbinfo -K with a trusted domain account.
>>
> You will probably need a couple more lines in smb.conf:
>
>            idmap config OTHERDOM : backend = rid
>            idmap config OTHERDOM : range = 2000001-3000000
>
> Rowland
>



More information about the samba mailing list