[Samba] Attempting a trust between Samba and Windows AD DC

Rowland Penny rpenny at samba.org
Tue Nov 7 15:38:41 UTC 2017 

On Tue, 7 Nov 2017 15:06:55 +0000
Chris Alavoine via samba <samba at lists.samba.org> wrote:

> Hi all,
> 
> We are about to integrate a large number of users into our
> organisation and I've been tasked with attempting to allow said users
> access to our internal systems which are controlled from 10 x Samba
> 4.6.3 DC's across several sites.
> 
> All Samba DC's are running either Ubuntu 14.04 or 16.04.
> 
> Replication works nicely between these DC's and this system has been
> relatively stable for some time now. We use BIND_DLZ as our DNS
> backend.
> 
> The new users will be being created on a Windows Server 2016 AD DC
> and I've created a trust between the 2 domains (which has validated
> at both ends). wbinfo returns useful information for each domain and
> I've got SSSD working from a member server. I can assign rights to a
> share on a member server from the trusted domain and all looks good.
> However, I am unable to access the shares on our member servers
> (fileservers) as one of the new external users. It feels like I'm
> quite close but I am either missing something very obvious or going
> about it in the wrong way.
> 
> All member servers are running Ubuntu and at least Samba 4.6.3 (some
> of them newer). I've created a test member server for me to test
> things out on. I am currently testing with SSSD as it allows multiple
> domains to be declared. My smb.conf currently looks like this:
> 
> [global]
>    netbios name = FS-006
>    security = ADS
>    realm = EXAMPLE.COM
>    workgroup = EXAMPLE
> 
>    allow trusted domains = yes
> 
>    log file = /var/log/samba/%m.log
> 
>    kerberos method = secrets and keytab
> 
>    idmap config *:backend = tdb
>    idmap config *:range = 500-2000
>    idmap config EXAMPLE:backend = ad
>    idmap config EXAMPLE:schema_mode = rfc2307
>    idmap config EXAMPLE:range = 10000-9999999
>    idmap config EXTERNAL:backend = ad
>    idmap config EXTERNAL:schema_mode = rfc2307
>    idmap config EXTERNAL:range = 10000000-99999999999

If you are running sssd and using it for authentication, then the above
'idmap config' is useless.
If you want to continue using sssd, then can I suggest asking on the
sssd-users mailing list, sssd has nothing to do with Samba.

Rowland

More information about the samba mailing list