[Samba] Attempting a trust between Samba and Windows AD DC
Rowland Penny
rpenny at samba.org
Tue Nov 7 15:38:41 UTC 2017
On Tue, 7 Nov 2017 15:06:55 +0000
Chris Alavoine via samba <samba at lists.samba.org> wrote:
> Hi all,
>
> We are about to integrate a large number of users into our
> organisation and I've been tasked with attempting to allow said users
> access to our internal systems which are controlled from 10 x Samba
> 4.6.3 DC's across several sites.
>
> All Samba DC's are running either Ubuntu 14.04 or 16.04.
>
> Replication works nicely between these DC's and this system has been
> relatively stable for some time now. We use BIND_DLZ as our DNS
> backend.
>
> The new users will be being created on a Windows Server 2016 AD DC
> and I've created a trust between the 2 domains (which has validated
> at both ends). wbinfo returns useful information for each domain and
> I've got SSSD working from a member server. I can assign rights to a
> share on a member server from the trusted domain and all looks good.
> However, I am unable to access the shares on our member servers
> (fileservers) as one of the new external users. It feels like I'm
> quite close but I am either missing something very obvious or going
> about it in the wrong way.
>
> All member servers are running Ubuntu and at least Samba 4.6.3 (some
> of them newer). I've created a test member server for me to test
> things out on. I am currently testing with SSSD as it allows multiple
> domains to be declared. My smb.conf currently looks like this:
>
> [global]
> netbios name = FS-006
> security = ADS
> realm = EXAMPLE.COM
> workgroup = EXAMPLE
>
> allow trusted domains = yes
>
> log file = /var/log/samba/%m.log
>
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 500-2000
> idmap config EXAMPLE:backend = ad
> idmap config EXAMPLE:schema_mode = rfc2307
> idmap config EXAMPLE:range = 10000-9999999
> idmap config EXTERNAL:backend = ad
> idmap config EXTERNAL:schema_mode = rfc2307
> idmap config EXTERNAL:range = 10000000-99999999999
If you are running sssd and using it for authentication, then the above
'idmap config' is useless.
If you want to continue using sssd, then can I suggest asking on the
sssd-users mailing list, sssd has nothing to do with Samba.
Rowland
More information about the samba
mailing list