[Samba] Accessing Samba domain member shares from trusted domain
Vaughan, Robert J
vaughar2 at gdls.com
Tue Nov 12 17:49:53 UTC 2024
Ok well I have that setting you mention
I just can't map my trusted AD account in the trusting domain on my Linux Samba domain member
I can't see any users in the trusted domain actually
wbinfo -u --domain=TRUSTED
returns nothing at all
I did see an article that suggested the POSIX attributes for AD users need to be published to the AD global catalogue before they can be accessed in the external trust domain? My Wintel AD guys says the attributes are not published. But still I might expect to see users listed with wbinfo even if their POSIX attributes are not allowing use as a UNIX account?
Thanks,
Robert Vaughan
UNIX and Linux Systems
IT - Infrastructure
General Dynamics Land Systems - Canada
Office: +1 519 964 5276
Mobile: +1 519 639 8151
vaughar2 at gdls.com
-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Ralph Boehme via samba
Sent: Tuesday, November 12, 2024 12:26 PM
To: Vaughan, Robert J <vaughar2 at gdls.com>; samba at lists.samba.org
Subject: Re: [Samba] Accessing Samba domain member shares from trusted domain
On 11/12/24 6:20 PM, Vaughan, Robert J via samba wrote:
> So in my situation where the AD trust is one-way, not transitive, and
> the trusting domain is external, and both domains are AD (Kerberos
> only, no NTLM)?
>
> This should all work for a Samba server domain member in the trusting
> domain sharing to the trusted domain, where the Samba server cannot
> see the trusted domain DC/KDC?
yes.
I would make sure to use "winbind scan trusted domains = yes" and ignore the wbinfo -m and --online-status stuff. As a domain member, we should only ever talk to a DC of our primary domain and with "winbind scan trusted domains = yes" that's exactly how we will behave. Trusted domains are added to our internal list of known domains when a user from a trusted domains authenticates and will then start appearing in the wbinfo commands, but not otherwise.
-slow
--
SerNet Samba Team Lead https://sernet.de/
Samba Team Member https://samba.org/
SAMBA+ packages https://samba.plus/
----------------------------------------------------------------------
This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.
More information about the samba
mailing list