[Samba] Accessing Samba domain member shares from trusted domain

Ralph Boehme slow at samba.org
Fri Nov 22 21:02:37 UTC 2024


On 11/22/24 8:46 PM, Vaughan, Robert J via samba wrote:
> When you said I can't use idmap_ad in my trusting domain because
> 'we're not allowed to talk to a DC in the trusted domain', does that
> still apply even if we can provide a read-only DC from the trusted
> domain inside the trusting domain network?

yes, because the system accesses resources with the machine account that 
is part of your domain and due to the one way trust, accounts from your 
domain are not allowed to authenticate in the trusted domain.

Iirc you should be able to use idmap_rfc2307 instead as that allows 
specifying an account name to use to authenticate to the LDAP server, 
which can a AD DC.

I've never setup something like this myself, but I'm sure one of my 
colleagues from our Samba team at SerNet has. Let me know if I you need 
help with and want to work with someone who knows this stuff. :)

-slow

-- 
SerNet Samba Team Lead https://sernet.de/
Samba Team Member      https://samba.org/
SAMBA+ packages       https://samba.plus/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20241122/03a8387e/OpenPGP_signature.sig>


More information about the samba mailing list