Nathaniel W. Turner
2019-Oct-29 15:26 UTC
[Samba] AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"
I see. =) I probably should have set the backend to autorid for "*", but I didn't think the ID mapping really mattered for the specific test I was doing. The "realm list" output shows the client software as winbind (not sssd) and the logs show messages from winbindd as it handles the authentication (in the successful cases), so I think that indicates that winbind is in use here. Does anyone know whether winbind is expected to be able to handle authenticating users in other trusted forests, and if so, why it might only be able to do so when ntlmssp is used (vs. gse_krb5)? On Tue, Oct 29, 2019 at 11:00 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 29/10/2019 14:52, Nathaniel W. Turner via samba wrote: > > Hi Rowland, > > > > On Tue, Oct 29, 2019 at 5:37 AM Rowland penny via samba < > > samba at lists.samba.org> wrote: > > > >> I am sorry but you seem to be asking on the wrong list, you appear to be > >> using sssd (which isn't supported with Samba from 4.8.0), Samba isn't > >> doing the authentication. > >> > > What part of my problem description, or which log entries make you think > I > > am using sssd? > > n > > The fact that you do not have lines in smb.conf similar to these: > > idmap config TC83 : backend = rid > idmap config TC83 : range = 100000-1999999 > > The lack of these lines means one of two things, either your smb.conf > isn't set up correctly or you are using sssd and it is usually the > latter ;-) > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland penny
2019-Oct-29 15:43 UTC
[Samba] AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"
On 29/10/2019 15:26, Nathaniel W. Turner via samba wrote:> I see. =) > > I probably should have set the backend to autorid for "*", but I didn't > think the ID mapping really mattered for the specific test I was doing.From your point of view (multiple forests) 'autorid' will probably be the way to go> > The "realm list" output shows the client software as winbind (not sssd) and > the logs show messages from winbindd as it handles the authentication (in > the successful cases), so I think that indicates that winbind is in use > here.Possibly, but: A) You do not need 'realmd', 'sssd' etc B) Your smb.conf is incorrectly set up.> > Does anyone know whether winbind is expected to be able to handle > authenticating users in other trusted forests, and if so, why it might only > be able to do so when ntlmssp is used (vs. gse_krb5)? > >Trusted domains are supposed to work, but not sure about across forests ? Rowland
Nathaniel W. Turner
2019-Oct-29 15:59 UTC
[Samba] AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"
On Tue, Oct 29, 2019 at 11:43 AM Rowland penny via samba < samba at lists.samba.org> wrote:> A) You do not need 'realmd', 'sssd' etc >Understood. Using realmd is a convenience, as it automates some housekeeping, but I'm happy to take it out of the picture for the purposes of this test, if that's important.> B) Your smb.conf is incorrectly set up. >I'm not surprised. I read the docs and used "testparm", but I'm not a samba expert, and I know there are lots of ways to write a valid, but silly, smb.conf. What, other than the id mapping config, should I change? Here's the config again (with a more appropriate id mapping config), for reference: [global] kerberos method = system keytab logging = systemd realm = TC83.LOCAL security = ADS template homedir = /home/%U@%D template shell = /bin/bash winbind offline logon = Yes winbind refresh tickets = Yes workgroup = TC83 idmap config * : backend = autorid idmap config * : range = 1000000-19999999 [test] path = /srv/test valid users = "@tc83.local\domain users" "@tc84.local\domain users"> > Does anyone know whether winbind is expected to be able to handle > > authenticating users in other trusted forests, and if so, why it might > only > > be able to do so when ntlmssp is used (vs. gse_krb5)? > > > > > Trusted domains are supposed to work, but not sure about across forests ? >Is there a better place for me to ask this question? n
Apparently Analagous Threads
- AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"
- AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"
- AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"
- AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"
- Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?