[Samba] AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"

Rowland penny rpenny at samba.org
Tue Oct 29 15:43:30 UTC 2019

On 29/10/2019 15:26, Nathaniel W. Turner via samba wrote:
> I see. =)
> I probably should have set the backend to autorid for "*", but I didn't
> think the ID mapping really mattered for the specific test I was doing.
 From your point of view (multiple forests) 'autorid' will probably be 
the way to go
> The "realm list" output shows the client software as winbind (not sssd) and
> the logs show messages from winbindd as it handles the authentication (in
> the successful cases), so I think that indicates that winbind is in use
> here.

Possibly, but:

A) You do not need 'realmd', 'sssd' etc

B) Your smb.conf is incorrectly set up.

> Does anyone know whether winbind is expected to be able to handle
> authenticating users in other trusted forests, and if so, why it might only
> be able to do so when ntlmssp is used (vs. gse_krb5)?
Trusted domains are supposed to work, but not sure about across forests ?


More information about the samba mailing list