[Samba] Windows pre-requisites for login with winbind?
Rowland Penny
rpenny at samba.org
Thu Aug 24 11:12:03 UTC 2017
On Thu, 24 Aug 2017 10:55:26 +0000
"A. James Lewis" <james at fsck.co.uk> wrote:
> Yes indeed.... I know a lot about the Linux side, but Windows is a
> bit of a mystery to me... and I have to confess to not knowing
> exactly how nss links various directory services into the system....
> hence my comment earlier with "Password file entry" in quotes... I
> know it's not in the password file, and is amalgamated into the
> password "map", via nss, but I'm not sure what the correct
> terminology is for that.... "map" makes me think NIS, but I guess it
> could be extended to other directory services now.
>
> One thing I would ask, especially given your earlier assistance with
> my configs... could you advise what would be required to allow
> logging in to multiple domains.
>
> Existing configs included at the end:-
>
> As far as I can see, so long as it can look up the
> _kerberos._tcp.DOMAIN2 record, I should not need to add anything to
> krb5.conf...
>
> For smb.conf, clearly I need to add:-
>
> idmap config DOMAIN2:backend = rid
> idmap config DOMAIN2:range = 500000-800000
>
> But do I need to add anything else to make that happen?
>
> Thanks again.
>
> James
>
> ------------------------------------------------
> $ cat krb5.conf | ./anon.sh
> [libdefaults]
> default_realm = DOMAIN.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
>
> $ cat smb.conf | ./anon.sh
> [global]
> workgroup = DOMAIN
> security = ADS
> realm = DOMAIN.LOCAL
>
> idmap config *:backend = tdb
> idmap config *:range = 4000-4999
> idmap config DOMAIN:backend = rid
> idmap config DOMAIN:range = 5000-300000
>
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind refresh tickets = yes
>
> template shell = /bin/bash
> template homedir = /home/%D/%U
>
In theory (wonderful thing, theory) you just need to setup a two way
trust between the two domains and then add the lines you propose,
restart Samba and it should work. It used to work with Samba3, but I
haven't tried it lately ;-)
Rowland
More information about the samba
mailing list