Hi Gaiseric,
I have tried that, also in different variations. But the users and
groups of DOMAIN_B keep invisible.
Below the smb.conf in the meantime state.
By the way: kinit works with both, users aof DOM_A and Users of DOM_B.
[global]
workgroup = DOM_A
server string = Samba %v
log file = /var/log/samba/log.%m
max log size = 50
password server = *
realm = INTRA.DOMAIN-A.DE
security = ads
server signing = auto
encrypt passwords = yes
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
idmap config * : backend = tdb
idmap config * : range = 5000-6000
idmap config intra.domain-a.de : backend = ad
idmap config intra.domain-a.de : range = 1000-1999
idmap config intra.domain-b.de : backend = tdb
idmap config intra.domain-b.de: range = 4000-4999
# idmap config * : range = 1000000-1999999
winbind separator = +
template homedir = /home/%U
winbind use default domain = false
winbind offline logon = false
server string = linuxserver1
netbios name = linuxserver1
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
client max protocol = LANMAN1
client use spnego = yes
#client ldap sasl wrapping = plain
#ldap server require strong auth = yes
kccsrv:samba_kcc = no
ntlm auth = yes
smb2 leases = no
allow trusted domains = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
template shell = /bin/bash
Does "wbinfo -u" show DOMAIN_B users?
Do the following commands work
wbinfo -n DOMAIN_B+someuser
wbinfo -i DOMAIN_B+someuser
wbinfo --allocate-uid
Did you try using ad backend for domain_B and statically allocating uid
and gid numbes in active directory ?
You might want to try setting
winbind rpc only = Yes
(which would point to an issue with LDAP.)
On 12/20/16 13:23, Josef Wölfle via samba wrote:> Hi Gaiseric,
>
> I have tried that, also in different variations. But the users and
> groups of DOMAIN_B keep invisible.
>
> Below the smb.conf in the meantime state.
>
> By the way: kinit works with both, users aof DOM_A and Users of DOM_B.
>
> [global]
>
> workgroup = DOM_A
>
> server string = Samba %v
>
> log file = /var/log/samba/log.%m
>
> max log size = 50
>
> password server = *
>
> realm = INTRA.DOMAIN-A.DE
>
> security = ads
>
> server signing = auto
>
> encrypt passwords = yes
>
> kerberos method = secrets and keytab
>
> dedicated keytab file = /etc/krb5.keytab
>
> idmap config * : backend = tdb
>
> idmap config * : range = 5000-6000
>
> idmap config intra.domain-a.de : backend = ad
>
> idmap config intra.domain-a.de : range = 1000-1999
>
> idmap config intra.domain-b.de : backend = tdb
>
> idmap config intra.domain-b.de: range = 4000-4999
>
> # idmap config * : range = 1000000-1999999
>
> winbind separator = +
>
> template homedir = /home/%U
>
> winbind use default domain = false
>
> winbind offline logon = false
>
> server string = linuxserver1
>
> netbios name = linuxserver1
>
> winbind enum users = yes
>
> winbind enum groups = yes
>
> winbind nested groups = yes
>
> client max protocol = LANMAN1
>
> client use spnego = yes
>
> #client ldap sasl wrapping = plain
>
> #ldap server require strong auth = yes
>
> kccsrv:samba_kcc = no
>
> ntlm auth = yes
>
> smb2 leases = no
>
> allow trusted domains = yes
>
> vfs objects = acl_xattr
>
> map acl inherit = yes
>
> store dos attributes = yes
>
> template shell = /bin/bash
>