samba - Oct 2019 - AD domain member cannot authenticate user in remote forest unless smbclient uses "localhost"

Hi Rowland,

On Tue, Oct 29, 2019 at 5:37 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
>
> I am sorry but you seem to be asking on the wrong list, you appear to be
> using sssd (which isn't supported with Samba from 4.8.0), Samba
isn't
> doing the authentication.
>
What part of my problem description, or which log entries make you think I
am using sssd?
n

On 29/10/2019 14:52, Nathaniel W. Turner via samba
wrote:
> Hi Rowland,
>
> On Tue, Oct 29, 2019 at 5:37 AM Rowland penny via samba <
> samba at lists.samba.org> wrote:
>
>> I am sorry but you seem to be asking on the wrong list, you appear to
be
>> using sssd (which isn't supported with Samba from 4.8.0), Samba
isn't
>> doing the authentication.
>>
> What part of my problem description, or which log entries make you think I
> am using sssd?
> n
The fact that you do not have lines in smb.conf similar to these:

idmap config TC83 : backend = rid
idmap config TC83 : range = 100000-1999999

The lack of these lines means one of two things, either your smb.conf 
isn't set up correctly or you are using sssd and it is usually the 
latter ;-)

Rowland

I see. =)

I probably should have set the backend to autorid for "*", but I
didn't
think the ID mapping really mattered for the specific test I was doing.

The "realm list" output shows the client software as winbind (not
sssd) and
the logs show messages from winbindd as it handles the authentication (in
the successful cases), so I think that indicates that winbind is in use
here.

Does anyone know whether winbind is expected to be able to handle
authenticating users in other trusted forests, and if so, why it might only
be able to do so when ntlmssp is used (vs. gse_krb5)?


On Tue, Oct 29, 2019 at 11:00 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 29/10/2019 14:52, Nathaniel W. Turner via samba wrote:
> > Hi Rowland,
> >
> > On Tue, Oct 29, 2019 at 5:37 AM Rowland penny via samba <
> > samba at lists.samba.org> wrote:
> >
> >> I am sorry but you seem to be asking on the wrong list, you appear
to be
> >> using sssd (which isn't supported with Samba from 4.8.0),
Samba isn't
> >> doing the authentication.
> >>
> > What part of my problem description, or which log entries make you
think
> I
> > am using sssd?
> > n
>
> The fact that you do not have lines in smb.conf similar to these:
>
> idmap config TC83 : backend = rid
> idmap config TC83 : range = 100000-1999999
>
> The lack of these lines means one of two things, either your smb.conf
> isn't set up correctly or you are using sssd and it is usually the
> latter ;-)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>