C. de Man
2018-Feb-17 13:20 UTC
[Samba] Winbind authentication from different domain not working
We are running winbind(4.6.2) on member server(CentOS 7) connected to a Active directory domain. 1 Forest with 2 domains with a 2 way trust between them. We want users from “DOMAIN A” be able to logon(via SSH) on a server "SERVER01" in “DOMAIN B”. This works well if the “SERVER01" in "DOMAIN B” can talk directly to “DOMAIN A” but when their is a firewall between “SERVER01” and “DOMAIN A” is doesn’t work anymore. winbind tries to lookup domain controller “DOMAIN A” for user validations directly. It is not using the trust and validate “DOMAIN A” users via “DOMAIN B” domain controllers. The trust between the domains is working. We’ve put a windows 2008 machine in the same subnet. And was able to logon with a user from “DOMAIN A” on the Windows server from “DOMAIN B” Is their a way to inform winbind to use “DOMAIN B” to validate users from “DOMAIN A” ? thanks, Cdm
Rowland Penny
2018-Feb-17 14:09 UTC
[Samba] Winbind authentication from different domain not working
On Sat, 17 Feb 2018 14:20:34 +0100 "C. de Man via samba" <samba at lists.samba.org> wrote:> We are running winbind(4.6.2) on member server(CentOS 7) connected to > a Active directory domain. > > 1 Forest with 2 domains with a 2 way trust between them. > > > We want users from “DOMAIN A” be able to logon(via SSH) on a server > "SERVER01" in “DOMAIN B”. This works well if the “SERVER01" in > "DOMAIN B” can talk directly to “DOMAIN A” but when their is a > firewall between “SERVER01” and “DOMAIN A” is doesn’t work anymore. > > winbind tries to lookup domain controller “DOMAIN A” for user > validations directly. It is not using the trust and validate “DOMAIN > A” users via “DOMAIN B” domain controllers. > > The trust between the domains is working. We’ve put a windows 2008 > machine in the same subnet. And was able to logon with a user from > “DOMAIN A” on the Windows server from “DOMAIN B” > > Is their a way to inform winbind to use “DOMAIN B” to validate users > from “DOMAIN A” ? >It might help if we knew what you are doing at the moment, so can you please post your smb.conf, do not attach this to a post, paste it into the post. Rowland
C. de Man
2018-Feb-17 14:31 UTC
[Samba] Winbind authentication from different domain not working
config smb.conf [global] realm = DOMAINB workgroup = DOMAINB security = ADS template homedir = /home/%U template shell = /bin/bash winbind expand groups = 1 winbind separator = + winbind use default domain = Yes idmap config domainb : range = 3000001 - 4000000 idmap config domainb : backend = rid idmap config domainc : range = 2000001 - 3000000 idmap config domainc : backend = rid idmap config domaina : range = 1000001 - 2000000 idmap config domaina : backend = rid idmap config * : range = 1000000-199999999 idmap config * : backend = tdb wbinfo --online-status BUILTIN : online SERVER01 : online DOMAINB : online DOMAINA : offline As you can see DOMAINA is offline, if we open up the firewall it is online and are able to logon with a user from DOMAINA on SERVER01.> >> We are running winbind(4.6.2) on member server(CentOS 7) connected to >> a Active directory domain. >> >> 1 Forest with 2 domains with a 2 way trust between them. >> >> >> We want users from “DOMAIN A” be able to logon(via SSH) on a server >> "SERVER01" in “DOMAIN B”. This works well if the “SERVER01" in >> "DOMAIN B” can talk directly to “DOMAIN A” but when their is a >> firewall between “SERVER01” and “DOMAIN A” is doesn’t work anymore. >> >> winbind tries to lookup domain controller “DOMAIN A” for user >> validations directly. It is not using the trust and validate “DOMAIN >> A” users via “DOMAIN B” domain controllers. >> >> The trust between the domains is working. We’ve put a windows 2008 >> machine in the same subnet. And was able to logon with a user from >> “DOMAIN A” on the Windows server from “DOMAIN B” >> >> Is their a way to inform winbind to use “DOMAIN B” to validate users >> from “DOMAIN A” ? >>
Reasonably Related Threads
- Winbind authentication from different domain not working
- Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
- Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
- Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
- Questions regarding ADS