Hi, the external trust, we have, is a one directional external trust. So users of the trusted dom can logon on local dom clients, but not the other way around. In case of "wbinfo -a" all communication is between the client and the domain controller of the local domain, which is the proxy for the auth process. In case of "wbinfo -K" all communication is between the client and a trusted domain controller and the client do not have any rights/credentials there. Perhaps, that's way I'm getting a No logon servers Could not authenticate user [GLOBALDOM\globdomuser] with Kerberos error message. Regards, Andreas Am 22.08.2017 um 14:30 schrieb Andreas Hauffe via samba:> Hi, > > I already added the two lines in smb.conf for my last test. > > Andreas > > [global] > security = ADS > workgroup = LOC > realm = LOC.EXAMPLE.COM > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > log file = /var/log/samba/%m.log > log level = 1 > > template homedir = /home/%D/%U > template shell = /bin/bash > > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use a read-write-enabled back end, such as tdb. > # - Adding just this is not enough > # - You must set a DOMAIN backend configuration, see below > idmap config * : backend = tdb > idmap config * : range = 3000-9999 > idmap config LOC : backend = rid > idmap config LOC : range = 1000000-2000000 > idmap config GLOB : backend = rid > idmap config GLOB : range = 3000000-4000000 > > > Am 22.08.2017 um 14:10 schrieb Rowland Penny via samba: >> On Tue, 22 Aug 2017 13:51:24 +0200 >> Andreas Hauffe via samba <samba at lists.samba.org> wrote: >> >>> Hi, >>> >>> sorry for not reading the comment above idmap config. I uninstalled >>> and reinstalled samba and configs to remove all old id mappings and >>> so on. Then changed all configs as adviced. The id mapping is working >>> correctly (wbinfo -i) for local and trusted domain. But I still >>> cannot logon with wbinfo -K with a trusted domain account. >>> >> You will probably need a couple more lines in smb.conf: >> >> idmap config OTHERDOM : backend = rid >> idmap config OTHERDOM : range = 2000001-3000000 >> >> Rowland >> > > >
On Tue, 22 Aug 2017 17:18:59 +0200 Andreas Hauffe via samba <samba at lists.samba.org> wrote:> Hi, > > the external trust, we have, is a one directional external trust. So > users of the trusted dom can logon on local dom clients, but not the > other way around. In case of "wbinfo -a" all communication is between > the client and the domain controller of the local domain, which is > the proxy for the auth process. In case of "wbinfo -K" all > communication is between the client and a trusted domain controller > and the client do not have any rights/credentials there. Perhaps, > that's way I'm getting a > > No logon servers Could not authenticate user [GLOBALDOM\globdomuser] > with Kerberos >Ah, I do not think that Samba supports one way trusts (yet) Rowland
Hi, thanks for the answer. Just to repeat, cause I have to decide what to do. I would be able to realize a authentication WITHOUT krb5auth in case of a one way external trust for trusted Domain users (wbinfo -a). I would NOT be able to realize a authentication WITH krb5auth in case of a one way external trust for trusted Domain users (wbinfo -K). Is there a other trust type, e.g. forest trust, which is possible to use if the trust is one way? Regards, Andreas ________________________________________ Von: samba <samba-bounces at lists.samba.org> im Auftrag von Rowland Penny via samba <samba at lists.samba.org> Gesendet: Dienstag, 22. August 2017 17:42 An: samba at lists.samba.org Betreff: Re: [Samba] Winbind with krb5auth for trust users On Tue, 22 Aug 2017 17:18:59 +0200 Andreas Hauffe via samba <samba at lists.samba.org> wrote:> Hi, > > the external trust, we have, is a one directional external trust. So > users of the trusted dom can logon on local dom clients, but not the > other way around. In case of "wbinfo -a" all communication is between > the client and the domain controller of the local domain, which is > the proxy for the auth process. In case of "wbinfo -K" all > communication is between the client and a trusted domain controller > and the client do not have any rights/credentials there. Perhaps, > that's way I'm getting a > > No logon servers Could not authenticate user [GLOBALDOM\globdomuser] > with Kerberos >Ah, I do not think that Samba supports one way trusts (yet) Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba