Hi Rowland,
   Below is output of testparm.  Samba is set up as standalone server.
# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[generic]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
         realm = PHYSICS.WISC.EDU
         server string = %h server
         server role = standalone server
         security = ADS
         map to guest = Bad User
         pam password change = Yes
         passwd program = /usr/bin/passwd %u
         passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
         unix password sync = Yes
         kerberos method = secrets and keytab
         syslog = 0
         max log size = 100000
         client ldap sasl wrapping = sign
         dns proxy = No
         panic action = /usr/share/samba/panic-action %d
         idmap config * : backend = tdb
 
 
[generic] 
 
         path = /srv/smb
I forgot to explicityly mention that with the testparm output I sent originally I can use smbclient to connect to the samba server with a kerberos ticket from the PHYSICS.WISC.EDU realm. If I change REALM = AD.WISC.EDU I can then log in to the samba server with a kerberos ticket from the AD.WISC.EDU realm. I'd like to do either or without changing the smb.conf. Thanks again! C. On Tuesday, March 01, 2016 15:08:13 Chad William Seys wrote:> Hi Rowland, > Below is output of testparm. Samba is set up as standalone server. > > # testparm > Load smb config files from /etc/samba/smb.conf > Processing section "[generic]" > Loaded services file OK. > Server role: ROLE_DOMAIN_MEMBER > Press enter to see a dump of your service definitions > > [global] > realm = PHYSICS.WISC.EDU > server string = %h server > server role = standalone server > security = ADS > map to guest = Bad User > pam password change = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > unix password sync = Yes > kerberos method = secrets and keytab > syslog = 0 > max log size = 100000 > client ldap sasl wrapping = sign > dns proxy = No > panic action = /usr/share/samba/panic-action %d > idmap config * : backend = tdb > > > > [generic] > > > path = /srv/smb
On 01/03/16 21:08, Chad William Seys wrote:> Hi Rowland, > Below is output of testparm. Samba is set up as standalone server.Sorry but it isn't a standalone server.> > # testparm > Load smb config files from /etc/samba/smb.conf > Processing section "[generic]" > Loaded services file OK. > Server role: ROLE_DOMAIN_MEMBERSee, even 'testparm' says it isn't.> Press enter to see a dump of your service definitions > > [global] > realm = PHYSICS.WISC.EDU > server string = %h server > server role = standalone server > security = ADS > map to guest = Bad User > pam password change = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > unix password sync = Yes > kerberos method = secrets and keytab > syslog = 0 > max log size = 100000 > client ldap sasl wrapping = sign > dns proxy = No > panic action = /usr/share/samba/panic-action %d > idmap config * : backend = tdb > > > > [generic] > > path = /srv/smbAre you using sssd or nslcd ? If not, where are the idmap & winbind lines ? Also on a domain member (this is what you have), you cannot use ' unix password sync', mainly because you can have users etc in AD or in /etc/passwd, but not both. To answer your original question, no I don't think you can have two 'Realms'. What you can have are trusts, I suggest you start here to see how to setup smb.conf correctly: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member Rowland
Hi Rowland,> Are you using sssd or nslcd ?I am using sssd. I can ssh into the server using credentials from either kerberos realm. E.g. ssh cwseys at PHYSICS.WISC.EDU@smb01.physics.wisc.edu (works) ssh seys at AD.WISC.EDU@smb01.physics.wisc.edu (works) PHYSICS.WISC.EDU is an MIT kerberos KDC. AD.WISC.EDU is a active directory KDC (etc). The reason I thought sssd would be best is because I want to use the /etc/passwd file for user existence and was easy to set up. If sssd is not going to work for the overall goal of being able to use credentials from either Kerberos realm to authenticate, then I'm happy to ditch it!> Also on a domain member (this is what you have), you cannot use ' unix > password sync', mainly because you can have users etc in AD or in > /etc/passwd, but not both.I thought as much, but also did not remove this default from the smb.conf as yet. There are other mechanisms for changing passwords in the two Kerberos realms.> > To answer your original question, no I don't think you can have two > 'Realms'. What you can have are trusts, I suggest you start here to see > how to setup smb.conf correctly: > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_MemberI did not see anything useful for setting up authentication to multiple Kerberos realms or multiple trusts.>Sorry but it isn't a standalone server. > >> # testparm >> Load smb config files from /etc/samba/smb.conf >> Processing section "[generic]" >> Loaded services file OK. >> Server role: ROLE_DOMAIN_MEMBERHmm, I also have 'server role = standalone server' in the config file, but I guess that has been overridden. I have run 'net ads join -U myADUser' when REALM=AD.WISC.EDU . It looks like 'net ads join' adds a machine principal into the AD.WISC.EDU kerberos database and into the local machine's keytab. What other config does it change? Does 'net ads join' also override the 'server role =' in smb.conf and this explains why 'Server role ROLE_DOMAIN_MEMBER' instead of standalone? Thanks for the help! Chad.