[Samba] Winbind with krb5auth for trust users
Andreas Hauffe
andreas.hauffe at tu-dresden.de
Tue Aug 22 15:18:59 UTC 2017
Hi,
the external trust, we have, is a one directional external trust. So
users of the trusted dom can logon on local dom clients, but not the
other way around. In case of "wbinfo -a" all communication is between
the client and the domain controller of the local domain, which is the
proxy for the auth process. In case of "wbinfo -K" all communication is
between the client and a trusted domain controller and the client do not
have any rights/credentials there. Perhaps, that's way I'm getting a
No logon servers Could not authenticate user [GLOBALDOM\globdomuser]
with Kerberos
error message.
Regards,
Andreas
Am 22.08.2017 um 14:30 schrieb Andreas Hauffe via samba:
> Hi,
>
> I already added the two lines in smb.conf for my last test.
>
> Andreas
>
> [global]
> security = ADS
> workgroup = LOC
> realm = LOC.EXAMPLE.COM
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> template homedir = /home/%D/%U
> template shell = /bin/bash
>
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> # - Adding just this is not enough
> # - You must set a DOMAIN backend configuration, see below
> idmap config * : backend = tdb
> idmap config * : range = 3000-9999
> idmap config LOC : backend = rid
> idmap config LOC : range = 1000000-2000000
> idmap config GLOB : backend = rid
> idmap config GLOB : range = 3000000-4000000
>
>
> Am 22.08.2017 um 14:10 schrieb Rowland Penny via samba:
>> On Tue, 22 Aug 2017 13:51:24 +0200
>> Andreas Hauffe via samba <samba at lists.samba.org> wrote:
>>
>>> Hi,
>>>
>>> sorry for not reading the comment above idmap config. I uninstalled
>>> and reinstalled samba and configs to remove all old id mappings and
>>> so on. Then changed all configs as adviced. The id mapping is working
>>> correctly (wbinfo -i) for local and trusted domain. But I still
>>> cannot logon with wbinfo -K with a trusted domain account.
>>>
>> You will probably need a couple more lines in smb.conf:
>>
>> idmap config OTHERDOM : backend = rid
>> idmap config OTHERDOM : range = 2000001-3000000
>>
>> Rowland
>>
>
>
>
More information about the samba
mailing list