samba - Feb 2018 - Winbind authentication from different domain not working

We are running winbind(4.6.2) on member server(CentOS 7) connected to a Active
directory domain.

1 Forest with 2 domains with a 2 way trust between them.


We want users from “DOMAIN A” be able to logon(via SSH) on a server
"SERVER01" in “DOMAIN B”.
This works well if the “SERVER01" in "DOMAIN B” can talk directly to
“DOMAIN A” but when their is a firewall between “SERVER01”  and “DOMAIN A” is
doesn’t work anymore.

winbind tries to lookup domain controller “DOMAIN A” for user validations
directly.
It is not using the trust and validate “DOMAIN A” users via “DOMAIN B” domain
controllers.

The trust between the domains is working. We’ve put a windows 2008 machine in
the same subnet.
And was able to logon with a user from “DOMAIN A” on the Windows server from
“DOMAIN B”

Is their a way to inform winbind to use “DOMAIN B” to validate users from
“DOMAIN A” ?


thanks,

Cdm

On Sat, 17 Feb 2018 14:20:34 +0100
"C. de Man via samba" <samba at lists.samba.org> wrote:
> We are running winbind(4.6.2) on member server(CentOS 7) connected to
> a Active directory domain.
> 
> 1 Forest with 2 domains with a 2 way trust between them.
> 
> 
> We want users from “DOMAIN A” be able to logon(via SSH) on a server
> "SERVER01" in “DOMAIN B”. This works well if the “SERVER01"
in
> "DOMAIN B” can talk directly to “DOMAIN A” but when their is a
> firewall between “SERVER01”  and “DOMAIN A” is doesn’t work anymore.
> 
> winbind tries to lookup domain controller “DOMAIN A” for user
> validations directly. It is not using the trust and validate “DOMAIN
> A” users via “DOMAIN B” domain controllers. 
> 
> The trust between the domains is working. We’ve put a windows 2008
> machine in the same subnet. And was able to logon with a user from
> “DOMAIN A” on the Windows server from “DOMAIN B”
> 
> Is their a way to inform winbind to use “DOMAIN B” to validate users
> from “DOMAIN A” ?
> 
It might help if we knew what you are doing at the moment, so can you
please post your smb.conf, do not attach this to a post, paste it into
the post.

Rowland

config smb.conf
[global]
	realm = DOMAINB
	workgroup = DOMAINB
	security = ADS
	template homedir = /home/%U
	template shell = /bin/bash
	winbind expand groups = 1
	winbind separator = +
	winbind use default domain = Yes
	idmap config domainb : range = 3000001 - 4000000
	idmap config domainb : backend = rid
	idmap config domainc : range = 2000001 - 3000000
	idmap config domainc : backend = rid
	idmap config domaina : range = 1000001 - 2000000
	idmap config domaina : backend = rid
	idmap config * : range = 1000000-199999999
	idmap config * : backend = tdb

wbinfo --online-status
BUILTIN : online
SERVER01 : online
DOMAINB : online
DOMAINA : offline 

As you can see DOMAINA is offline, if we open up the firewall it is online and
are able to logon with a user from DOMAINA on SERVER01.

> 
>> We are running winbind(4.6.2) on member server(CentOS 7) connected to
>> a Active directory domain.
>> 
>> 1 Forest with 2 domains with a 2 way trust between them.
>> 
>> 
>> We want users from “DOMAIN A” be able to logon(via SSH) on a server
>> "SERVER01" in “DOMAIN B”. This works well if the
“SERVER01" in
>> "DOMAIN B” can talk directly to “DOMAIN A” but when their is a
>> firewall between “SERVER01”  and “DOMAIN A” is doesn’t work anymore.
>> 
>> winbind tries to lookup domain controller “DOMAIN A” for user
>> validations directly. It is not using the trust and validate “DOMAIN
>> A” users via “DOMAIN B” domain controllers. 
>> 
>> The trust between the domains is working. We’ve put a windows 2008
>> machine in the same subnet. And was able to logon with a user from
>> “DOMAIN A” on the Windows server from “DOMAIN B”
>> 
>> Is their a way to inform winbind to use “DOMAIN B” to validate users
>> from “DOMAIN A” ?
>>