[Samba] AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"

Rowland penny rpenny at samba.org
Tue Oct 29 16:22:03 UTC 2019

On 29/10/2019 15:59, Nathaniel W. Turner via samba wrote:
> On Tue, Oct 29, 2019 at 11:43 AM Rowland penny via samba <
> samba at lists.samba.org> wrote:
>> A) You do not need 'realmd', 'sssd' etc
> Understood. Using realmd is a convenience, as it automates some
> housekeeping, but I'm happy to take it out of the picture for the purposes
> of this test, if that's important.
I personally have never needed 'realmd', YMMV
>> B) Your smb.conf is incorrectly set up.
> I'm not surprised. I read the docs and used "testparm", but I'm not a samba
> expert, and I know there are lots of ways to write a valid, but silly,
> smb.conf.  What, other than the id mapping config, should I change?
> Here's the config again (with a more appropriate id mapping config), for
> reference:
> [global]
> kerberos method = system keytab
I would alter the line above, to 'secrets and keytab'
> logging = systemd
> realm = TC83.LOCAL
> security = ADS
> template homedir = /home/%U@%D
> template shell = /bin/bash
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> workgroup = TC83
> idmap config * : backend = autorid
> idmap config * : range = 1000000-19999999
> [test]
> path = /srv/test
> valid users = "@tc83.local\domain users" "@tc84.local\domain users"

I wouldn't use 'valid users', I would set the permissions from Windows, 
but to do this you will need to add this to smb.conf:

username map = /etc/samba/user.map

And create '/etc/samba/user.map' with this content:

!root = TC83\Administrator

Finally your share is unwriteable, to make it writeable, add 'read only 
= no'

Apart from that, your smb.conf is basically OK, though you may want to 
add these lines lines:

     vfs objects = acl_xattr
     map acl inherit = Yes


More information about the samba mailing list