[Samba] winbind use default domain = true with subdomain

Rowland penny rpenny at samba.org
Fri Apr 23 20:38:04 UTC 2021

On 23/04/2021 21:08, Vex Mage via samba wrote:
> Hello!
>       We have a Windows AD server with a one way trust to our campus
> identity server. Our Windows AD server has the domain/realm COE.

COE is the Netbios domain and isn't the realm, your realm should be the 
dns domain in uppercase i.e. if the dns domain is 'samdom.example.com', 
then the realm would be 'SAMDOM.EXAMPLE.COM'

>   The campus
> identity server has the domain/realm of IDENTITY.
>       I've joined a test machine to the COE domain. Initially I tried to use
> sssd however only winbind seems to support one way trusts so I've joined
> the domain via winbind.

If you do use sssd, we cannot help with it, we do not produce it, so 
know little about it. You also cannot use sssd with Samba >= 4.8.0 , you 
must use winbind.

>       Currently I can id localuser at COE and id remoteuser at IDENTITY.

Hmm, it is beginning to look like you are using single lable dns 
domains, this is not recommended.

>   I would
> like to be able to do an id remoteuser and avoid the requirement of
> including the realm. I can make this work for COE by setting winbind use
> default domain = true however I cannot find any directive to include the
> subdomain.

You cannot use 'winbind use default domain = yes' with more than one 
netbios domain.

>       Is it possible to accomplish setting the default realm to the trusted
> domain and not specifically for the COE domain? I've also tried looking
> into coercing realmd to set the subdomain as the primary/native but had no
> success.

No, you cannot set the default realm (actually the netbios domain name ) 
to the trusted domain, it must be set to the netbios domain that the 
Unix domain member is a member of.

>      I would greatly appreciate any information anyone may be able to
> provide. I can share more information such as configs however they're
> really generic at the moment and they so far are working very well
> otherwise. I'm only trying to avoid a paradigm shift by avoiding having to
> reeducate our college's users to include their realm when logging into our
> Linux computers. Thanks and apologies in advance. I absolutely do
> appreciate it!

I don't think you can do what you are trying to do, but it might help if 
you post the contents of the following files:






More information about the samba mailing list