[Samba] Windows pre-requisites for login with winbind?

Thu Aug 24 12:26:11 UTC 2017

Well, network connectivity to the other DC would probably also be required... and I don't have that currently... so there's the first hurdle... but thanks for confirming that there's no other configuration required.

I'm slightly surprised that the smb.conf does not require the full realm name like "DOMAIN2.LOCAL" somewhere in there.

James

August 24, 2017 12:14 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:

> On Thu, 24 Aug 2017 10:55:26 +0000
> "A. James Lewis" <james at fsck.co.uk> wrote:
> 
>> Yes indeed.... I know a lot about the Linux side, but Windows is a
>> bit of a mystery to me... and I have to confess to not knowing
>> exactly how nss links various directory services into the system....
>> hence my comment earlier with "Password file entry" in quotes... I
>> know it's not in the password file, and is amalgamated into the
>> password "map", via nss, but I'm not sure what the correct
>> terminology is for that.... "map" makes me think NIS, but I guess it
>> could be extended to other directory services now.
>> 
>> One thing I would ask, especially given your earlier assistance with
>> my configs... could you advise what would be required to allow
>> logging in to multiple domains.
>> 
>> Existing configs included at the end:-
>> 
>> As far as I can see, so long as it can look up the
>> _kerberos._tcp.DOMAIN2 record, I should not need to add anything to
>> krb5.conf...
>> 
>> For smb.conf, clearly I need to add:-
>> 
>> idmap config DOMAIN2:backend = rid
>> idmap config DOMAIN2:range = 500000-800000
>> 
>> But do I need to add anything else to make that happen?
>> 
>> Thanks again.
>> 
>> James
>> 
>> ------------------------------------------------
>> $ cat krb5.conf | ./anon.sh
>> [libdefaults]
>> default_realm = DOMAIN.LOCAL
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> 
>> $ cat smb.conf | ./anon.sh
>> [global]
>> workgroup = DOMAIN
>> security = ADS
>> realm = DOMAIN.LOCAL
>> 
>> idmap config *:backend = tdb
>> idmap config *:range = 4000-4999
>> idmap config DOMAIN:backend = rid
>> idmap config DOMAIN:range = 5000-300000
>> 
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind refresh tickets = yes
>> 
>> template shell = /bin/bash
>> template homedir = /home/%D/%U
> 
> In theory (wonderful thing, theory) you just need to setup a two way
> trust between the two domains and then add the lines you propose,
> restart Samba and it should work. It used to work with Samba3, but I
> haven't tried it lately ;-)
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."