[Samba] Winbind authentication from different domain not working
C. de Man
c.deman82 at gmail.com
Sat Feb 17 14:31:19 UTC 2018
config smb.conf
[global]
realm = DOMAINB
workgroup = DOMAINB
security = ADS
template homedir = /home/%U
template shell = /bin/bash
winbind expand groups = 1
winbind separator = +
winbind use default domain = Yes
idmap config domainb : range = 3000001 - 4000000
idmap config domainb : backend = rid
idmap config domainc : range = 2000001 - 3000000
idmap config domainc : backend = rid
idmap config domaina : range = 1000001 - 2000000
idmap config domaina : backend = rid
idmap config * : range = 1000000-199999999
idmap config * : backend = tdb
wbinfo --online-status
BUILTIN : online
SERVER01 : online
DOMAINB : online
DOMAINA : offline
As you can see DOMAINA is offline, if we open up the firewall it is online and are able to logon with a user from DOMAINA on SERVER01.
>
>> We are running winbind(4.6.2) on member server(CentOS 7) connected to
>> a Active directory domain.
>>
>> 1 Forest with 2 domains with a 2 way trust between them.
>>
>>
>> We want users from “DOMAIN A” be able to logon(via SSH) on a server
>> "SERVER01" in “DOMAIN B”. This works well if the “SERVER01" in
>> "DOMAIN B” can talk directly to “DOMAIN A” but when their is a
>> firewall between “SERVER01” and “DOMAIN A” is doesn’t work anymore.
>>
>> winbind tries to lookup domain controller “DOMAIN A” for user
>> validations directly. It is not using the trust and validate “DOMAIN
>> A” users via “DOMAIN B” domain controllers.
>>
>> The trust between the domains is working. We’ve put a windows 2008
>> machine in the same subnet. And was able to logon with a user from
>> “DOMAIN A” on the Windows server from “DOMAIN B”
>>
>> Is their a way to inform winbind to use “DOMAIN B” to validate users
>> from “DOMAIN A” ?
>>
More information about the samba
mailing list