samba - Aug 2017 - Winbind with krb5auth for trust users

On Tue, 22 Aug 2017 13:51:24 +0200
Andreas Hauffe via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> sorry for not reading the comment above idmap config. I uninstalled
> and reinstalled samba and configs to remove all old id mappings and
> so on. Then changed all configs as adviced. The id mapping is working
> correctly (wbinfo -i) for local and trusted domain. But I still
> cannot logon with wbinfo -K with a trusted domain account.
> 
You will probably need a couple more lines in smb.conf:

          idmap config OTHERDOM : backend = rid
          idmap config OTHERDOM : range = 2000001-3000000

Rowland

Hi,

I already added the two lines in smb.conf for my last test.

Andreas

[global]
        security = ADS
        workgroup = LOC
        realm = LOC.EXAMPLE.COM
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab

        log file = /var/log/samba/%m.log
        log level = 1

        template homedir = /home/%D/%U
        template shell = /bin/bash

        # Default ID mapping configuration for local BUILTIN accounts
        # and groups on a domain member. The default (*) domain:
        # - must not overlap with any domain ID mapping configuration!
        # - must use a read-write-enabled back end, such as tdb.
        # - Adding just this is not enough
        # - You must set a DOMAIN backend configuration, see below
        idmap config * : backend = tdb
        idmap config * : range = 3000-9999
        idmap config LOC : backend = rid
        idmap config LOC : range = 1000000-2000000
        idmap config GLOB : backend = rid
        idmap config GLOB : range = 3000000-4000000


Am 22.08.2017 um 14:10 schrieb Rowland Penny via samba:
> On Tue, 22 Aug 2017 13:51:24 +0200
> Andreas Hauffe via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> sorry for not reading the comment above idmap config. I uninstalled
>> and reinstalled samba and configs to remove all old id mappings and
>> so on. Then changed all configs as adviced. The id mapping is working
>> correctly (wbinfo -i) for local and trusted domain. But I still
>> cannot logon with wbinfo -K with a trusted domain account.
>>
> You will probably need a couple more lines in smb.conf:
>
>            idmap config OTHERDOM : backend = rid
>            idmap config OTHERDOM : range = 2000001-3000000
>
> Rowland
>

Hi,

the external trust, we have, is a one directional external trust. So 
users of the trusted dom can logon on local dom clients, but not the 
other way around. In case of "wbinfo -a" all communication is between 
the client and the domain controller of the local domain, which is the 
proxy for the auth process. In case of "wbinfo -K" all communication
is
between the client and a trusted domain controller and the client do not 
have any rights/credentials there. Perhaps, that's way I'm getting a

No logon servers Could not authenticate user [GLOBALDOM\globdomuser] 
with Kerberos

error message.

Regards,
Andreas

Am 22.08.2017 um 14:30 schrieb Andreas Hauffe via samba:
> Hi,
>
> I already added the two lines in smb.conf for my last test.
>
> Andreas
>
> [global]
>        security = ADS
>        workgroup = LOC
>        realm = LOC.EXAMPLE.COM
>        dedicated keytab file = /etc/krb5.keytab
>        kerberos method = secrets and keytab
>
>        log file = /var/log/samba/%m.log
>        log level = 1
>
>        template homedir = /home/%D/%U
>        template shell = /bin/bash
>
>        # Default ID mapping configuration for local BUILTIN accounts
>        # and groups on a domain member. The default (*) domain:
>        # - must not overlap with any domain ID mapping configuration!
>        # - must use a read-write-enabled back end, such as tdb.
>        # - Adding just this is not enough
>        # - You must set a DOMAIN backend configuration, see below
>        idmap config * : backend = tdb
>        idmap config * : range = 3000-9999
>        idmap config LOC : backend = rid
>        idmap config LOC : range = 1000000-2000000
>        idmap config GLOB : backend = rid
>        idmap config GLOB : range = 3000000-4000000
>
>
> Am 22.08.2017 um 14:10 schrieb Rowland Penny via samba:
>> On Tue, 22 Aug 2017 13:51:24 +0200
>> Andreas Hauffe via samba <samba at lists.samba.org> wrote:
>>
>>> Hi,
>>>
>>> sorry for not reading the comment above idmap config. I uninstalled
>>> and reinstalled samba and configs to remove all old id mappings and
>>> so on. Then changed all configs as adviced. The id mapping is
working
>>> correctly (wbinfo -i) for local and trusted domain. But I still
>>> cannot logon with wbinfo -K with a trusted domain account.
>>>
>> You will probably need a couple more lines in smb.conf:
>>
>>            idmap config OTHERDOM : backend = rid
>>            idmap config OTHERDOM : range = 2000001-3000000
>>
>> Rowland
>>
>
>
>