[Samba] AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"

Nathaniel W. Turner nathanielwyliet at gmail.com
Tue Oct 29 15:26:27 UTC 2019


I see. =)

I probably should have set the backend to autorid for "*", but I didn't
think the ID mapping really mattered for the specific test I was doing.

The "realm list" output shows the client software as winbind (not sssd) and
the logs show messages from winbindd as it handles the authentication (in
the successful cases), so I think that indicates that winbind is in use
here.

Does anyone know whether winbind is expected to be able to handle
authenticating users in other trusted forests, and if so, why it might only
be able to do so when ntlmssp is used (vs. gse_krb5)?


On Tue, Oct 29, 2019 at 11:00 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 29/10/2019 14:52, Nathaniel W. Turner via samba wrote:
> > Hi Rowland,
> >
> > On Tue, Oct 29, 2019 at 5:37 AM Rowland penny via samba <
> > samba at lists.samba.org> wrote:
> >
> >> I am sorry but you seem to be asking on the wrong list, you appear to be
> >> using sssd (which isn't supported with Samba from 4.8.0), Samba isn't
> >> doing the authentication.
> >>
> > What part of my problem description, or which log entries make you think
> I
> > am using sssd?
> > n
>
> The fact that you do not have lines in smb.conf similar to these:
>
> idmap config TC83 : backend = rid
> idmap config TC83 : range = 100000-1999999
>
> The lack of these lines means one of two things, either your smb.conf
> isn't set up correctly or you are using sssd and it is usually the
> latter ;-)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list