[Samba] AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"
Nathaniel W. Turner
nathanielwyliet at gmail.com
Tue Oct 29 15:59:21 UTC 2019
On Tue, Oct 29, 2019 at 11:43 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> A) You do not need 'realmd', 'sssd' etc
Understood. Using realmd is a convenience, as it automates some
housekeeping, but I'm happy to take it out of the picture for the purposes
of this test, if that's important.
> B) Your smb.conf is incorrectly set up.
I'm not surprised. I read the docs and used "testparm", but I'm not a samba
expert, and I know there are lots of ways to write a valid, but silly,
smb.conf. What, other than the id mapping config, should I change?
Here's the config again (with a more appropriate id mapping config), for
kerberos method = system keytab
logging = systemd
realm = TC83.LOCAL
security = ADS
template homedir = /home/%U@%D
template shell = /bin/bash
winbind offline logon = Yes
winbind refresh tickets = Yes
workgroup = TC83
idmap config * : backend = autorid
idmap config * : range = 1000000-19999999
path = /srv/test
valid users = "@tc83.local\domain users" "@tc84.local\domain users"
> > Does anyone know whether winbind is expected to be able to handle
> > authenticating users in other trusted forests, and if so, why it might
> > be able to do so when ntlmssp is used (vs. gse_krb5)?
> Trusted domains are supposed to work, but not sure about across forests ?
Is there a better place for me to ask this question?
More information about the samba