Re: [Samba] Attempting a trust between Samba and Windows AD DC
- Date: Wed, 15 Nov 2017 17:27:47 +0000
- From: Chris Alavoine via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Attempting a trust between Samba and Windows AD DC
I didn't have much luck getting SSSD to work so I'm currently testing out
Built a new member server from source on Ubuntu 16.04. I used the following
./configure --enable-fhs --prefix=/usr --sysconfdir=/etc
This seems to install nicely onto Ubuntu and puts everything in the right
place. Winbind works well which is what I've always had problems with in
My current smb.conf on the Domain member looks like this:
netbios name = FS-007
security = ADS
workgroup = EXAMPLE
realm = ADS.EXAMPLE.COM
log file = /var/log/samba/%m.log
log level = 7
idmap config * : backend = tdb
idmap config * : range = 200-499
idmap config EXAMPLE:backend = ad
idmap config EXAMPLE:schema_mode = rfc2307
idmap config EXAMPLE:range = 500-400000
idmap config EXAMPLE:unix_nss_info = yes
idmap config EXAMPLE:unix_primary_group = yes
idmap config EXTERNAL : backend = rid
idmap config EXTERNAL : range = 400001-99999999
winbind nss info = template
template shell = /bin/bash
template homedir = /home/%U
# allow trusted domains = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
# kerberos method = secrets and keytab
client signing = yes
client use spnego = yes
vfs objects = acl_xattr,full_audit
server signing = mandatory
# VFS settings
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = notice
map acl inherit = yes
store dos attributes = yes
path = /data/test/
read only = no
This gives me good connectivity on the EXAMPLE domain, wbinfo and getent
work nicely and are returning correct values.
Not much luck getting EXTERNAL domain to work though. A trust exists
between the two forests and Kerberos and DNS are all working ok.
"wbinfo -u --domain EXTERNAL" returns users as does "wbinfo -g --domain
EXTERNAL" return groups. However, I cannot get getent to give me anything.
The EXAMPLE domain is a group of Samba 4.6.3 DC's (about 10 of them, all
The EXTERNAL domain is a new Windows AD DC running Windows Server 2008 R2,
I've also added a new Samba 4.7.2 to this domain which is replicating
I've tried both rid and ad on the EXTERNAL domain with no luck.
I've installed Server for NIS on the Windows Server 2008 R2 AD DC and added
NIS info there (this was for testing using ad on idmap), but no joy.
Any pointers most appreciated.
On 7 November 2017 at 15:47, Chris Alavoine <chrisa@xxxxxxxxxxxxxx> wrote:
> Hi Rowland,
> Thanks for the swift response.
> I'm not married to SSSD and am happy to use the best tool for the job, but
> was just looking for some general advice on my situation.
> I'll post on the sssd-users mailing as well.
> On 7 November 2017 at 15:38, Rowland Penny <rpenny@xxxxxxxxx> wrote:
>> On Tue, 7 Nov 2017 15:06:55 +0000
>> Chris Alavoine via samba <samba@xxxxxxxxxxxxxxx> wrote:
>> > Hi all,
>> > We are about to integrate a large number of users into our
>> > organisation and I've been tasked with attempting to allow said users
>> > access to our internal systems which are controlled from 10 x Samba
>> > 4.6.3 DC's across several sites.
>> > All Samba DC's are running either Ubuntu 14.04 or 16.04.
>> > Replication works nicely between these DC's and this system has been
>> > relatively stable for some time now. We use BIND_DLZ as our DNS
>> > backend.
>> > The new users will be being created on a Windows Server 2016 AD DC
>> > and I've created a trust between the 2 domains (which has validated
>> > at both ends). wbinfo returns useful information for each domain and
>> > I've got SSSD working from a member server. I can assign rights to a
>> > share on a member server from the trusted domain and all looks good.
>> > However, I am unable to access the shares on our member servers
>> > (fileservers) as one of the new external users. It feels like I'm
>> > quite close but I am either missing something very obvious or going
>> > about it in the wrong way.
>> > All member servers are running Ubuntu and at least Samba 4.6.3 (some
>> > of them newer). I've created a test member server for me to test
>> > things out on. I am currently testing with SSSD as it allows multiple
>> > domains to be declared. My smb.conf currently looks like this:
>> > [global]
>> > netbios name = FS-006
>> > security = ADS
>> > realm = EXAMPLE.COM
>> > workgroup = EXAMPLE
>> > allow trusted domains = yes
>> > log file = /var/log/samba/%m.log
>> > kerberos method = secrets and keytab
>> > idmap config *:backend = tdb
>> > idmap config *:range = 500-2000
>> > idmap config EXAMPLE:backend = ad
>> > idmap config EXAMPLE:schema_mode = rfc2307
>> > idmap config EXAMPLE:range = 10000-9999999
>> > idmap config EXTERNAL:backend = ad
>> > idmap config EXTERNAL:schema_mode = rfc2307
>> > idmap config EXTERNAL:range = 10000000-99999999999
>> If you are running sssd and using it for authentication, then the above
>> 'idmap config' is useless.
>> If you want to continue using sssd, then can I suggest asking on the
>> sssd-users mailing list, sssd has nothing to do with Samba.
> ACS (Alavoine Computer Services Ltd)
> Chris Alavoine
> mob +44 (0)7724 710 730 <07724%20710730>
ACS (Alavoine Computer Services Ltd)
mob +44 (0)7724 710 730
To unsubscribe from this list go to the following URL and read the