[Samba] Authentication with trusted credentials

Yakov Revyakin yrevyakin at gmail.com
Mon Jul 13 14:04:14 UTC 2020 

Hi friends,
I have a one way outgoing trust between SAMBA trusting domain and AD
trusted domain.
SSH Authentication of a user belonging to the SAMBA domain works properly
on a Linux computer which is a member of SAMBA domain.
I would like to authenticate a trusted user from the AD domain on the same
Linux computer with SSH. Currently it doesn't work.
I am able to authenticate trusted accounts with wbinfo and kinit. I
followed guides:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://www.kania-online.de/wp-content/uploads/2019/06/trusts-tutorial.pdf
What I missed? What additional diagnostic can I make? How to make a step
forward?

Samba 4.11

DC:
d@*us-smdc3*:~$ cat /etc/samba/smb.conf
# Global parameters
[global]
        dns forwarder = 10.0.1.2 # trusted ad dc
        netbios name = US-SMDC3
        realm = SVITLA3.ROOM
        server role = active directory domain controller
        workgroup = SVITLA3
        idmap_ldb:use rfc2307 = yes
        log level = 1
        ldap server require strong auth = no

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/svitla3.room/scripts
        read only = No

Member:
d@*uc-smlbox20*:~$ cat /etc/samba/smb.conf
[global]
   workgroup = SVITLA3
   security = ADS
   realm = SVITLA3.ROOM

   winbind refresh tickets = Yes
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   winbind use default domain = yes

   winbind enum users = yes
   winbind enum groups = yes

   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes

   log file = /var/log/samba/%m.log
   log level = 3

   idmap config * : backend = tdb
   idmap config * : range = 3000-7999

   idmap config SVITLA3:backend = ad
   idmap config SVITLA3:schema_mode = rfc2307
   idmap config SVITLA3:range = 20000-29999
   idmap config SVITLA3:unix_nss_info = yes

   idmap config APEX:backend = ad
   idmap config APEX:schema_mode = rfc2307
   idmap config APEX:range = 10000-19999
   idmap config APEX:unix_nss_info = yes

   vfs objects = acl_xattr
   map acl inherit = yes

Thanks,
Jake R

More information about the samba mailing list