Nathaniel W. Turner
2019-Oct-29 14:52 UTC
[Samba] AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"
Hi Rowland, On Tue, Oct 29, 2019 at 5:37 AM Rowland penny via samba < samba at lists.samba.org> wrote:> > I am sorry but you seem to be asking on the wrong list, you appear to be > using sssd (which isn't supported with Samba from 4.8.0), Samba isn't > doing the authentication. >What part of my problem description, or which log entries make you think I am using sssd? n
Rowland penny
2019-Oct-29 15:00 UTC
[Samba] AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"
On 29/10/2019 14:52, Nathaniel W. Turner via samba wrote:> Hi Rowland, > > On Tue, Oct 29, 2019 at 5:37 AM Rowland penny via samba < > samba at lists.samba.org> wrote: > >> I am sorry but you seem to be asking on the wrong list, you appear to be >> using sssd (which isn't supported with Samba from 4.8.0), Samba isn't >> doing the authentication. >> > What part of my problem description, or which log entries make you think I > am using sssd? > nThe fact that you do not have lines in smb.conf similar to these: idmap config TC83 : backend = rid idmap config TC83 : range = 100000-1999999 The lack of these lines means one of two things, either your smb.conf isn't set up correctly or you are using sssd and it is usually the latter ;-) Rowland
Nathaniel W. Turner
2019-Oct-29 15:26 UTC
[Samba] AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"
I see. =) I probably should have set the backend to autorid for "*", but I didn't think the ID mapping really mattered for the specific test I was doing. The "realm list" output shows the client software as winbind (not sssd) and the logs show messages from winbindd as it handles the authentication (in the successful cases), so I think that indicates that winbind is in use here. Does anyone know whether winbind is expected to be able to handle authenticating users in other trusted forests, and if so, why it might only be able to do so when ntlmssp is used (vs. gse_krb5)? On Tue, Oct 29, 2019 at 11:00 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 29/10/2019 14:52, Nathaniel W. Turner via samba wrote: > > Hi Rowland, > > > > On Tue, Oct 29, 2019 at 5:37 AM Rowland penny via samba < > > samba at lists.samba.org> wrote: > > > >> I am sorry but you seem to be asking on the wrong list, you appear to be > >> using sssd (which isn't supported with Samba from 4.8.0), Samba isn't > >> doing the authentication. > >> > > What part of my problem description, or which log entries make you think > I > > am using sssd? > > n > > The fact that you do not have lines in smb.conf similar to these: > > idmap config TC83 : backend = rid > idmap config TC83 : range = 100000-1999999 > > The lack of these lines means one of two things, either your smb.conf > isn't set up correctly or you are using sssd and it is usually the > latter ;-) > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >