[Samba] Attempting a trust between Samba and Windows AD DC

Tue Nov 7 15:47:16 UTC 2017

Hi Rowland,

Thanks for the swift response.

I'm not married to SSSD and am happy to use the best tool for the job, but
was just looking for some general advice on my situation.

I'll post on the sssd-users mailing as well.

Thanks,
Chris.

On 7 November 2017 at 15:38, Rowland Penny <rpenny at samba.org> wrote:

> On Tue, 7 Nov 2017 15:06:55 +0000
> Chris Alavoine via samba <samba at lists.samba.org> wrote:
>
> > Hi all,
> >
> > We are about to integrate a large number of users into our
> > organisation and I've been tasked with attempting to allow said users
> > access to our internal systems which are controlled from 10 x Samba
> > 4.6.3 DC's across several sites.
> >
> > All Samba DC's are running either Ubuntu 14.04 or 16.04.
> >
> > Replication works nicely between these DC's and this system has been
> > relatively stable for some time now. We use BIND_DLZ as our DNS
> > backend.
> >
> > The new users will be being created on a Windows Server 2016 AD DC
> > and I've created a trust between the 2 domains (which has validated
> > at both ends). wbinfo returns useful information for each domain and
> > I've got SSSD working from a member server. I can assign rights to a
> > share on a member server from the trusted domain and all looks good.
> > However, I am unable to access the shares on our member servers
> > (fileservers) as one of the new external users. It feels like I'm
> > quite close but I am either missing something very obvious or going
> > about it in the wrong way.
> >
> > All member servers are running Ubuntu and at least Samba 4.6.3 (some
> > of them newer). I've created a test member server for me to test
> > things out on. I am currently testing with SSSD as it allows multiple
> > domains to be declared. My smb.conf currently looks like this:
> >
> > [global]
> >    netbios name = FS-006
> >    security = ADS
> >    realm = EXAMPLE.COM
> >    workgroup = EXAMPLE
> >
> >    allow trusted domains = yes
> >
> >    log file = /var/log/samba/%m.log
> >
> >    kerberos method = secrets and keytab
> >
> >    idmap config *:backend = tdb
> >    idmap config *:range = 500-2000
> >    idmap config EXAMPLE:backend = ad
> >    idmap config EXAMPLE:schema_mode = rfc2307
> >    idmap config EXAMPLE:range = 10000-9999999
> >    idmap config EXTERNAL:backend = ad
> >    idmap config EXTERNAL:schema_mode = rfc2307
> >    idmap config EXTERNAL:range = 10000000-99999999999
>
> If you are running sssd and using it for authentication, then the above
> 'idmap config' is useless.
> If you want to continue using sssd, then can I suggest asking on the
> sssd-users mailing list, sssd has nothing to do with Samba.
>
> Rowland
>

-- 
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192