[Samba] AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"

Rowland penny rpenny at samba.org
Tue Oct 29 15:35:28 UTC 2019

On 29/10/2019 15:13, Nathaniel W. Turner via samba wrote:
> On Tue, Oct 29, 2019 at 5:37 AM Rowland penny via samba <
> samba at lists.samba.org> wrote:
>> If you require help setting up Unix domain members with winbind, can I
>> suggest you read this:
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> Well, I was not having problems with the actual process of joining using
> "realm join --client-software=winbind". The resulting membership also
> appears be mostly functional, as I was able to authenticate users in all
> trusted domains (via the localhost samba test I described in my first
> message, or directly, using "wbinfo -a" or "ntml_auth").
As far as I am aware, 'realm join' is a wrapper around 'net ads join' 
and just because wbinfo works it doesn't mean that Unix knowns the AD 
users and groups.
> However, since it seemed important, I tried starting from scratch using the
> wiki instructions you linked to above. These seem to be incomplete, as with
> that approach, I am unable to join at all. The document first says to
> delete your smb.conf,
It doesn't any more ;-)
> and then only discusses setting up the id mapping
> section. I assume there are other things that need to go in there, but I
> was attempting to follow the instructions exactly, so that folks would
> consider my test to be valid. Have you tried following those instructions
> recently?

Yes, you are quite right, they do need updating, the only problem is how 
? Just what should be in a default smb.conf ? I will think about this.


More information about the samba mailing list