[Samba] Trusted domain with different short name to DNS name.

[A. James Lewis]

September 28, 2017 3:32 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:

> On Thu, 28 Sep 2017 13:57:25 +0000
> "A. James Lewis via samba" <samba at lists.samba.org> wrote:
> 
>> Hey,
>> 
>> I have 2 trusted domains to deal with, "DEV" and "TODEV", and I have
>> configured smb.conf like this:-
>> 
>> [global]
>> workgroup = MAIN
>> security = ADS
>> realm = MAIN.DOMAIN.LOCAL
>> 
>> idmap config *:backend = tdb
>> idmap config *:range = 95000-99999
>> idmap config MAIN:backend = rid
>> idmap config MAIN:range = 100000-999999
>> idmap config DEV:backend = rid
>> idmap config DEV:range = 2000000-2999999
>> idmap config TODEV:backend = rid
>> idmap config TODEV:range = 3000000-3999999
>> 
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind refresh tickets = yes
>> 
>> template shell = /bin/bash
>> template homedir = /home/%D/%U
>> 
>> The issue is that "TODEV" is the short name, while the DNS name is
>> to.dev.domain.local.... I can see group memberships in "DEV", but not
>> in TODEV... presumably because there's no way for Samba to map the
>> TODEV short name to a DNS "SRV" query to find the LDAP server details.
>> 
>> What would be the correct way to go about this when the domain short
>> name, and the DNS don't match?
> 
> What version of Samba ?
> Are the trusts two way ?
> 
> You should remove 'winbind use default domain'
> 
> Rowland
> 
> --


I don't believe it's a two way trust, since the "MAIN" domain is the authentication domain, while the DEV/TODEV domains contain their own resources but the MAIN domain does not trust users in the DEV/TODEV domains.

As I say, it works with DEV, if I run wbinfo -r jlewis, I can see my group memberships in DEV, but not TODEV.

--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."