[Samba] AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"

Nathaniel W. Turner nathanielwyliet at gmail.com
Tue Oct 29 15:59:21 UTC 2019

On Tue, Oct 29, 2019 at 11:43 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> A) You do not need 'realmd', 'sssd' etc

Understood. Using realmd is a convenience, as it automates some
housekeeping, but I'm happy to take it out of the picture for the purposes
of this test, if that's important.

> B) Your smb.conf is incorrectly set up.

I'm not surprised. I read the docs and used "testparm", but I'm not a samba
expert, and I know there are lots of ways to write a valid, but silly,
smb.conf.  What, other than the id mapping config, should I change?

Here's the config again (with a more appropriate id mapping config), for

kerberos method = system keytab
logging = systemd
realm = TC83.LOCAL
security = ADS
template homedir = /home/%U@%D
template shell = /bin/bash
winbind offline logon = Yes
winbind refresh tickets = Yes
workgroup = TC83
idmap config * : backend = autorid
idmap config * : range = 1000000-19999999

path = /srv/test
valid users = "@tc83.local\domain users" "@tc84.local\domain users"

> > Does anyone know whether winbind is expected to be able to handle
> > authenticating users in other trusted forests, and if so, why it might
> only
> > be able to do so when ntlmssp is used (vs. gse_krb5)?
> >
> >
> Trusted domains are supposed to work, but not sure about across forests ?

Is there a better place for me to ask this question?


More information about the samba mailing list