[Samba] Authentication with trusted credentials

Yakov Revyakin yrevyakin at gmail.com
Thu Jul 16 21:13:04 UTC 2020

Thank you! I have food for tomorrow. Now I only want to voice some of my

Imagine that a domain had no trusts. At this time a PC became a member of
this domain.
After some time DC made trust with another domain. In this case existing
members don't consider any extra configuration like adding knowledge about
new realm, DNS, etc. Existing configuration already provides means of login
and session for a user of a trusted domain.

In my case Linux PC was informed about trusting DNS before joining
the domain. After setting DNS but before joining the domain I could
authenticate users from both trusting and trusted domains with kinit
without any modifications in krb5.conf. And it is what I was waiting for.

So, the PC already has a means to authenticate users from both domains.
How to enable that means?

On Thu, 16 Jul 2020 at 18:30, Rowland penny via samba <samba at lists.samba.org>

> On 16/07/2020 16:11, L.P.H. van Belle via samba wrote:
> > First of all, why does the DOMAIN contains/shows a dot in it.
> > ( i think its a wrong setting in sssd, but i dont know sssd )
> > I know this is one of your REALMs and not the domain.
> >
> >
> > Now your lines :
> > Works Yes: Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: pam_sss(sshd:auth):
> authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=
> user=SVITLA5.ROOM\test01
> > Works Not: Jul 16 11:24:01 uc-sssdlbox20 sshd[2157]: Invalid user
> APEX.CORP\\jake from port 62970
> > And i noticed this :
> > OK:    sshd[2048]: pam_sss(sshd:auth)
> > Wrong: sshd[2157]: pam_unix(sshd:auth)
> >
> >
> >      ## Mapped ids from the domain SAMDOM and (*) the range may not
> overlap !
> >      idmap config ${VAR_SMB_WORKGROUP} : backend = ad
> >      idmap config ${VAR_SMB_WORKGROUP} : schema_mode = rfc2307
> >      idmap config ${VAR_SMB_WORKGROUP} : range = 10000-3999999
> There is a big problem with all that, the only way to use sssd with
> Samba >= 4.8.0 is to use:
>    idmap config ${VAR_SMB_WORKGROUP} : backend = sss
> and not run winbind, you also do not get to use shares, it is
> authentication only. It also will not work correctly on a Samba AD DC,
> because you cannot change the backend and you cannot stop winbind from
> running. I would advise dumping sssd if the OP is using it.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list