[Samba] Authentication with trusted credentials
Yakov Revyakin
yrevyakin at gmail.com
Mon Jul 13 14:04:14 UTC 2020
Hi friends,
I have a one way outgoing trust between SAMBA trusting domain and AD
trusted domain.
SSH Authentication of a user belonging to the SAMBA domain works properly
on a Linux computer which is a member of SAMBA domain.
I would like to authenticate a trusted user from the AD domain on the same
Linux computer with SSH. Currently it doesn't work.
I am able to authenticate trusted accounts with wbinfo and kinit. I
followed guides:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://www.kania-online.de/wp-content/uploads/2019/06/trusts-tutorial.pdf
What I missed? What additional diagnostic can I make? How to make a step
forward?
Samba 4.11
DC:
d@*us-smdc3*:~$ cat /etc/samba/smb.conf
# Global parameters
[global]
dns forwarder = 10.0.1.2 # trusted ad dc
netbios name = US-SMDC3
realm = SVITLA3.ROOM
server role = active directory domain controller
workgroup = SVITLA3
idmap_ldb:use rfc2307 = yes
log level = 1
ldap server require strong auth = no
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/svitla3.room/scripts
read only = No
Member:
d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf
[global]
workgroup = SVITLA3
security = ADS
realm = SVITLA3.ROOM
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log file = /var/log/samba/%m.log
log level = 3
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SVITLA3:backend = ad
idmap config SVITLA3:schema_mode = rfc2307
idmap config SVITLA3:range = 20000-29999
idmap config SVITLA3:unix_nss_info = yes
idmap config APEX:backend = ad
idmap config APEX:schema_mode = rfc2307
idmap config APEX:range = 10000-19999
idmap config APEX:unix_nss_info = yes
vfs objects = acl_xattr
map acl inherit = yes
Thanks,
Jake R
More information about the samba
mailing list