[Samba] Windows pre-requisites for login with winbind?

Rowland Penny rpenny at samba.org
Thu Aug 24 11:12:03 UTC 2017


On Thu, 24 Aug 2017 10:55:26 +0000
"A. James Lewis" <james at fsck.co.uk> wrote:

> Yes indeed.... I know a lot about the Linux side, but Windows is a
> bit of a mystery to me... and I have to confess to not knowing
> exactly how nss links various directory services into the system....
> hence my comment earlier with "Password file entry" in quotes... I
> know it's not in the password file, and is amalgamated into the
> password "map", via nss, but I'm not sure what the correct
> terminology is for that.... "map" makes me think NIS, but I guess it
> could be extended to other directory services now.
> 
> One thing I would ask, especially given your earlier assistance with
> my configs... could you advise what would be required to allow
> logging in to multiple domains.
> 
> Existing configs included at the end:-
> 
> As far as I can see, so long as it can look up the
> _kerberos._tcp.DOMAIN2 record, I should not need to add anything to
> krb5.conf... 
> 
> For smb.conf, clearly I need to add:-
> 
>    idmap config DOMAIN2:backend = rid
>    idmap config DOMAIN2:range = 500000-800000
> 
> But do I need to add anything else to make that happen?
> 
> Thanks again.
> 
> James
> 
> ------------------------------------------------
> $ cat krb5.conf | ./anon.sh 
> [libdefaults]
> 	default_realm = DOMAIN.LOCAL
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> 
> 
> $ cat smb.conf | ./anon.sh 
> [global]
>    workgroup = DOMAIN
>    security = ADS
>    realm = DOMAIN.LOCAL
> 
>    idmap config *:backend = tdb
>    idmap config *:range = 4000-4999
>    idmap config DOMAIN:backend = rid
>    idmap config DOMAIN:range = 5000-300000
> 
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind refresh tickets = yes
> 
>    template shell = /bin/bash
>    template homedir = /home/%D/%U
> 

In theory (wonderful thing, theory) you just need to setup a two way
trust between the two domains and then add the lines you propose,
restart Samba and it should work. It used to work with Samba3, but I
haven't tried it lately ;-)

Rowland
 



More information about the samba mailing list