[Samba] Accessing Samba domain member shares from trusted domain

Ralph Boehme slow at samba.org
Tue Nov 12 17:58:56 UTC 2024


On 11/12/24 6:49 PM, Vaughan, Robert J via samba wrote:
> Ok well I have that setting you mention
> 
> I just can't map my trusted AD account in the trusting domain on my
> Linux Samba domain member
> 
> I can't see any users in the trusted domain actually
> 
> wbinfo -u --domain=TRUSTED
> 
> returns nothing at all

this is as expected. We're not allowed to talk to a DC in the trusted
domain to query a user list. That can't be done via a trust route.

> I did see an article that suggested the POSIX attributes for AD
> users need to be published to the AD global catalogue before they
> can be accessed in the external trust domain?  My Wintel AD guys
> says the attributes are not published.  But still I might expect to
> see users listed with wbinfo even if their POSIX attributes are not
> allowing use as a UNIX account?
you can't use idmap_ad for a trusted domain with outbound trust, as we 
can't connect to a DC in that domain via LDAP. You have to use a 
different idmap backend. You could also use idmap_rfc2307 to point at an 
LDAP server that does allow connections and also stores the mappings.

-slow

-- 
SerNet Samba Team Lead https://sernet.de/
Samba Team Member      https://samba.org/
SAMBA+ packages       https://samba.plus/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20241112/6b868a86/OpenPGP_signature.sig>


More information about the samba mailing list