[Samba] Accessing Samba domain member shares from trusted domain
Ralph Boehme
slow at samba.org
Tue Nov 12 17:58:56 UTC 2024
On 11/12/24 6:49 PM, Vaughan, Robert J via samba wrote:
> Ok well I have that setting you mention
>
> I just can't map my trusted AD account in the trusting domain on my
> Linux Samba domain member
>
> I can't see any users in the trusted domain actually
>
> wbinfo -u --domain=TRUSTED
>
> returns nothing at all
this is as expected. We're not allowed to talk to a DC in the trusted
domain to query a user list. That can't be done via a trust route.
> I did see an article that suggested the POSIX attributes for AD
> users need to be published to the AD global catalogue before they
> can be accessed in the external trust domain? My Wintel AD guys
> says the attributes are not published. But still I might expect to
> see users listed with wbinfo even if their POSIX attributes are not
> allowing use as a UNIX account?
you can't use idmap_ad for a trusted domain with outbound trust, as we
can't connect to a DC in that domain via LDAP. You have to use a
different idmap backend. You could also use idmap_rfc2307 to point at an
LDAP server that does allow connections and also stores the mappings.
-slow
--
SerNet Samba Team Lead https://sernet.de/
Samba Team Member https://samba.org/
SAMBA+ packages https://samba.plus/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20241112/6b868a86/OpenPGP_signature.sig>
More information about the samba
mailing list