Web lists-archives.com

Re: [Samba] Winbind with krb5auth for trust users




Hi,

I already added the two lines in smb.conf for my last test.

Andreas

[global]
       security = ADS
       workgroup = LOC
       realm = LOC.EXAMPLE.COM
       dedicated keytab file = /etc/krb5.keytab
       kerberos method = secrets and keytab

       log file = /var/log/samba/%m.log
       log level = 1

       template homedir = /home/%D/%U
       template shell = /bin/bash

       # Default ID mapping configuration for local BUILTIN accounts
       # and groups on a domain member. The default (*) domain:
       # - must not overlap with any domain ID mapping configuration!
       # - must use a read-write-enabled back end, such as tdb.
       # - Adding just this is not enough
       # - You must set a DOMAIN backend configuration, see below
       idmap config * : backend = tdb
       idmap config * : range = 3000-9999
       idmap config LOC : backend = rid
       idmap config LOC : range = 1000000-2000000
       idmap config GLOB : backend = rid
       idmap config GLOB : range = 3000000-4000000


Am 22.08.2017 um 14:10 schrieb Rowland Penny via samba:
On Tue, 22 Aug 2017 13:51:24 +0200
Andreas Hauffe via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi,

sorry for not reading the comment above idmap config. I uninstalled
and reinstalled samba and configs to remove all old id mappings and
so on. Then changed all configs as adviced. The id mapping is working
correctly (wbinfo -i) for local and trusted domain. But I still
cannot logon with wbinfo -K with a trusted domain account.

You will probably need a couple more lines in smb.conf:

           idmap config OTHERDOM : backend = rid
           idmap config OTHERDOM : range = 2000001-3000000

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba