Chris Alavoine
2017-Nov-07 15:06 UTC
[Samba] Attempting a trust between Samba and Windows AD DC
Hi all, We are about to integrate a large number of users into our organisation and I've been tasked with attempting to allow said users access to our internal systems which are controlled from 10 x Samba 4.6.3 DC's across several sites. All Samba DC's are running either Ubuntu 14.04 or 16.04. Replication works nicely between these DC's and this system has been relatively stable for some time now. We use BIND_DLZ as our DNS backend. The new users will be being created on a Windows Server 2016 AD DC and I've created a trust between the 2 domains (which has validated at both ends). wbinfo returns useful information for each domain and I've got SSSD working from a member server. I can assign rights to a share on a member server from the trusted domain and all looks good. However, I am unable to access the shares on our member servers (fileservers) as one of the new external users. It feels like I'm quite close but I am either missing something very obvious or going about it in the wrong way. All member servers are running Ubuntu and at least Samba 4.6.3 (some of them newer). I've created a test member server for me to test things out on. I am currently testing with SSSD as it allows multiple domains to be declared. My smb.conf currently looks like this: [global] netbios name = FS-006 security = ADS realm = EXAMPLE.COM workgroup = EXAMPLE allow trusted domains = yes log file = /var/log/samba/%m.log kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 500-2000 idmap config EXAMPLE:backend = ad idmap config EXAMPLE:schema_mode = rfc2307 idmap config EXAMPLE:range = 10000-9999999 idmap config EXTERNAL:backend = ad idmap config EXTERNAL:schema_mode = rfc2307 idmap config EXTERNAL:range = 10000000-99999999999 client signing = yes client use spnego = yes vfs objects = acl_xattr,full_audit server signing = mandatory # VFS settings full_audit:prefix = %u|%I|%m|%S full_audit:success = mkdir rename unlink rmdir pwrite full_audit:failure = none full_audit:facility = local7 full_audit:priority = notice map acl inherit = Yes store dos attributes = Yes log level = 5 ## SHARES [test] path = /data/test read only = no # end If anyone has any experience with a similar scenario I'd appreciate your input. Thanks, Chris. -- ACS (Alavoine Computer Services Ltd) Chris Alavoine mob +44 (0)7724 710 730 www.alavoinecs.co.uk http://twitter.com/#!/alavoinecs http://www.linkedin.com/pub/chris-alavoine/39/606/192
Rowland Penny
2017-Nov-07 15:38 UTC
[Samba] Attempting a trust between Samba and Windows AD DC
On Tue, 7 Nov 2017 15:06:55 +0000 Chris Alavoine via samba <samba at lists.samba.org> wrote:> Hi all, > > We are about to integrate a large number of users into our > organisation and I've been tasked with attempting to allow said users > access to our internal systems which are controlled from 10 x Samba > 4.6.3 DC's across several sites. > > All Samba DC's are running either Ubuntu 14.04 or 16.04. > > Replication works nicely between these DC's and this system has been > relatively stable for some time now. We use BIND_DLZ as our DNS > backend. > > The new users will be being created on a Windows Server 2016 AD DC > and I've created a trust between the 2 domains (which has validated > at both ends). wbinfo returns useful information for each domain and > I've got SSSD working from a member server. I can assign rights to a > share on a member server from the trusted domain and all looks good. > However, I am unable to access the shares on our member servers > (fileservers) as one of the new external users. It feels like I'm > quite close but I am either missing something very obvious or going > about it in the wrong way. > > All member servers are running Ubuntu and at least Samba 4.6.3 (some > of them newer). I've created a test member server for me to test > things out on. I am currently testing with SSSD as it allows multiple > domains to be declared. My smb.conf currently looks like this: > > [global] > netbios name = FS-006 > security = ADS > realm = EXAMPLE.COM > workgroup = EXAMPLE > > allow trusted domains = yes > > log file = /var/log/samba/%m.log > > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 500-2000 > idmap config EXAMPLE:backend = ad > idmap config EXAMPLE:schema_mode = rfc2307 > idmap config EXAMPLE:range = 10000-9999999 > idmap config EXTERNAL:backend = ad > idmap config EXTERNAL:schema_mode = rfc2307 > idmap config EXTERNAL:range = 10000000-99999999999If you are running sssd and using it for authentication, then the above 'idmap config' is useless. If you want to continue using sssd, then can I suggest asking on the sssd-users mailing list, sssd has nothing to do with Samba. Rowland
Chris Alavoine
2017-Nov-07 15:47 UTC
[Samba] Attempting a trust between Samba and Windows AD DC
Hi Rowland, Thanks for the swift response. I'm not married to SSSD and am happy to use the best tool for the job, but was just looking for some general advice on my situation. I'll post on the sssd-users mailing as well. Thanks, Chris. On 7 November 2017 at 15:38, Rowland Penny <rpenny at samba.org> wrote:> On Tue, 7 Nov 2017 15:06:55 +0000 > Chris Alavoine via samba <samba at lists.samba.org> wrote: > > > Hi all, > > > > We are about to integrate a large number of users into our > > organisation and I've been tasked with attempting to allow said users > > access to our internal systems which are controlled from 10 x Samba > > 4.6.3 DC's across several sites. > > > > All Samba DC's are running either Ubuntu 14.04 or 16.04. > > > > Replication works nicely between these DC's and this system has been > > relatively stable for some time now. We use BIND_DLZ as our DNS > > backend. > > > > The new users will be being created on a Windows Server 2016 AD DC > > and I've created a trust between the 2 domains (which has validated > > at both ends). wbinfo returns useful information for each domain and > > I've got SSSD working from a member server. I can assign rights to a > > share on a member server from the trusted domain and all looks good. > > However, I am unable to access the shares on our member servers > > (fileservers) as one of the new external users. It feels like I'm > > quite close but I am either missing something very obvious or going > > about it in the wrong way. > > > > All member servers are running Ubuntu and at least Samba 4.6.3 (some > > of them newer). I've created a test member server for me to test > > things out on. I am currently testing with SSSD as it allows multiple > > domains to be declared. My smb.conf currently looks like this: > > > > [global] > > netbios name = FS-006 > > security = ADS > > realm = EXAMPLE.COM > > workgroup = EXAMPLE > > > > allow trusted domains = yes > > > > log file = /var/log/samba/%m.log > > > > kerberos method = secrets and keytab > > > > idmap config *:backend = tdb > > idmap config *:range = 500-2000 > > idmap config EXAMPLE:backend = ad > > idmap config EXAMPLE:schema_mode = rfc2307 > > idmap config EXAMPLE:range = 10000-9999999 > > idmap config EXTERNAL:backend = ad > > idmap config EXTERNAL:schema_mode = rfc2307 > > idmap config EXTERNAL:range = 10000000-99999999999 > > If you are running sssd and using it for authentication, then the above > 'idmap config' is useless. > If you want to continue using sssd, then can I suggest asking on the > sssd-users mailing list, sssd has nothing to do with Samba. > > Rowland >-- ACS (Alavoine Computer Services Ltd) Chris Alavoine mob +44 (0)7724 710 730 www.alavoinecs.co.uk http://twitter.com/#!/alavoinecs http://www.linkedin.com/pub/chris-alavoine/39/606/192