samba - Oct 2019 - AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"

I see. =)

I probably should have set the backend to autorid for "*", but I
didn't
think the ID mapping really mattered for the specific test I was doing.

The "realm list" output shows the client software as winbind (not
sssd) and
the logs show messages from winbindd as it handles the authentication (in
the successful cases), so I think that indicates that winbind is in use
here.

Does anyone know whether winbind is expected to be able to handle
authenticating users in other trusted forests, and if so, why it might only
be able to do so when ntlmssp is used (vs. gse_krb5)?


On Tue, Oct 29, 2019 at 11:00 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 29/10/2019 14:52, Nathaniel W. Turner via samba wrote:
> > Hi Rowland,
> >
> > On Tue, Oct 29, 2019 at 5:37 AM Rowland penny via samba <
> > samba at lists.samba.org> wrote:
> >
> >> I am sorry but you seem to be asking on the wrong list, you appear
to be
> >> using sssd (which isn't supported with Samba from 4.8.0),
Samba isn't
> >> doing the authentication.
> >>
> > What part of my problem description, or which log entries make you
think
> I
> > am using sssd?
> > n
>
> The fact that you do not have lines in smb.conf similar to these:
>
> idmap config TC83 : backend = rid
> idmap config TC83 : range = 100000-1999999
>
> The lack of these lines means one of two things, either your smb.conf
> isn't set up correctly or you are using sssd and it is usually the
> latter ;-)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 29/10/2019 15:26, Nathaniel W. Turner via samba
wrote:
> I see. =)
>
> I probably should have set the backend to autorid for "*", but I
didn't
> think the ID mapping really mattered for the specific test I was doing.
 From your point of view (multiple forests) 'autorid' will probably be 
the way to go
>
> The "realm list" output shows the client software as winbind (not
sssd) and
> the logs show messages from winbindd as it handles the authentication (in
> the successful cases), so I think that indicates that winbind is in use
> here.
Possibly, but:

A) You do not need 'realmd', 'sssd' etc

B) Your smb.conf is incorrectly set up.
>
> Does anyone know whether winbind is expected to be able to handle
> authenticating users in other trusted forests, and if so, why it might only
> be able to do so when ntlmssp is used (vs. gse_krb5)?
>
>
Trusted domains are supposed to work, but not sure about across forests ?

Rowland

On Tue, Oct 29, 2019 at 11:43 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> A) You do not need 'realmd', 'sssd' etc
>
Understood. Using realmd is a convenience, as it automates some
housekeeping, but I'm happy to take it out of the picture for the purposes
of this test, if that's important.
> B) Your smb.conf is incorrectly set up.
>
I'm not surprised. I read the docs and used "testparm", but
I'm not a samba
expert, and I know there are lots of ways to write a valid, but silly,
smb.conf.  What, other than the id mapping config, should I change?

Here's the config again (with a more appropriate id mapping config), for
reference:

[global]
kerberos method = system keytab
logging = systemd
realm = TC83.LOCAL
security = ADS
template homedir = /home/%U@%D
template shell = /bin/bash
winbind offline logon = Yes
winbind refresh tickets = Yes
workgroup = TC83
idmap config * : backend = autorid
idmap config * : range = 1000000-19999999

[test]
path = /srv/test
valid users = "@tc83.local\domain users" "@tc84.local\domain
users"

> > Does anyone know whether winbind is expected to be able to handle
> > authenticating users in other trusted forests, and if so, why it might
> only
> > be able to do so when ntlmssp is used (vs. gse_krb5)?
> >
> >
> Trusted domains are supposed to work, but not sure about across forests ?
>
Is there a better place for me to ask this question?

n