Web lists-archives.com

[Samba] Attempting a trust between Samba and Windows AD DC

Hi all,

We are about to integrate a large number of users into our organisation and
I've been tasked with attempting to allow said users access to our internal
systems which are controlled from 10 x Samba 4.6.3 DC's across several

All Samba DC's are running either Ubuntu 14.04 or 16.04.

Replication works nicely between these DC's and this system has been
relatively stable for some time now. We use BIND_DLZ as our DNS backend.

The new users will be being created on a Windows Server 2016 AD DC and I've
created a trust between the 2 domains (which has validated at both ends).
wbinfo returns useful information for each domain and I've got SSSD working
from a member server. I can assign rights to a share on a member server
from the trusted domain and all looks good. However, I am unable to access
the shares on our member servers (fileservers) as one of the new external
users. It feels like I'm quite close but I am either missing something very
obvious or going about it in the wrong way.

All member servers are running Ubuntu and at least Samba 4.6.3 (some of
them newer). I've created a test member server for me to test things out
on. I am currently testing with SSSD as it allows multiple domains to be
declared. My smb.conf currently looks like this:

   netbios name = FS-006
   security = ADS
   realm = EXAMPLE.COM
   workgroup = EXAMPLE

   allow trusted domains = yes

   log file = /var/log/samba/%m.log

   kerberos method = secrets and keytab

   idmap config *:backend = tdb
   idmap config *:range = 500-2000
   idmap config EXAMPLE:backend = ad
   idmap config EXAMPLE:schema_mode = rfc2307
   idmap config EXAMPLE:range = 10000-9999999
   idmap config EXTERNAL:backend = ad
   idmap config EXTERNAL:schema_mode = rfc2307
   idmap config EXTERNAL:range = 10000000-99999999999

   client signing = yes
   client use spnego = yes

   vfs objects = acl_xattr,full_audit

   server signing = mandatory

   # VFS settings
   full_audit:prefix = %u|%I|%m|%S
   full_audit:success = mkdir rename unlink rmdir pwrite
   full_audit:failure = none
   full_audit:facility = local7
   full_audit:priority = notice

   map acl inherit = Yes
   store dos attributes = Yes
   log level = 5


   path = /data/test
   read only = no

# end

If anyone has any experience with a similar scenario I'd appreciate your


ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba