On 16/07/2020 16:11, L.P.H. van Belle via samba wrote:> First of all, why does the DOMAIN contains/shows a dot in it. > ( i think its a wrong setting in sssd, but i dont know sssd ) > I know this is one of your REALMs and not the domain. > > > Now your lines : > Works Yes: Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 user=SVITLA5.ROOM\test01 > Works Not: Jul 16 11:24:01 uc-sssdlbox20 sshd[2157]: Invalid user APEX.CORP\\jake from 10.0.0.1 port 62970 > And i noticed this : > OK: sshd[2048]: pam_sss(sshd:auth) > Wrong: sshd[2157]: pam_unix(sshd:auth) > > > ## Mapped ids from the domain SAMDOM and (*) the range may not overlap ! > idmap config ${VAR_SMB_WORKGROUP} : backend = ad > idmap config ${VAR_SMB_WORKGROUP} : schema_mode = rfc2307 > idmap config ${VAR_SMB_WORKGROUP} : range = 10000-3999999There is a big problem with all that, the only way to use sssd with Samba >= 4.8.0 is to use: ? idmap config ${VAR_SMB_WORKGROUP} : backend = sss and not run winbind, you also do not get to use shares, it is authentication only. It also will not work correctly on a Samba AD DC, because you cannot change the backend and you cannot stop winbind from running. I would advise dumping sssd if the OP is using it. Rowland
Thank you! I have food for tomorrow. Now I only want to voice some of my considerations. Imagine that a domain had no trusts. At this time a PC became a member of this domain. After some time DC made trust with another domain. In this case existing members don't consider any extra configuration like adding knowledge about new realm, DNS, etc. Existing configuration already provides means of login and session for a user of a trusted domain. In my case Linux PC was informed about trusting DNS before joining the domain. After setting DNS but before joining the domain I could authenticate users from both trusting and trusted domains with kinit without any modifications in krb5.conf. And it is what I was waiting for. So, the PC already has a means to authenticate users from both domains. How to enable that means? On Thu, 16 Jul 2020 at 18:30, Rowland penny via samba <samba at lists.samba.org> wrote:> On 16/07/2020 16:11, L.P.H. van Belle via samba wrote: > > First of all, why does the DOMAIN contains/shows a dot in it. > > ( i think its a wrong setting in sssd, but i dont know sssd ) > > I know this is one of your REALMs and not the domain. > > > > > > Now your lines : > > Works Yes: Jul 16 11:23:48 uc-sssdlbox20 sshd[2048]: pam_sss(sshd:auth): > authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 > user=SVITLA5.ROOM\test01 > > Works Not: Jul 16 11:24:01 uc-sssdlbox20 sshd[2157]: Invalid user > APEX.CORP\\jake from 10.0.0.1 port 62970 > > And i noticed this : > > OK: sshd[2048]: pam_sss(sshd:auth) > > Wrong: sshd[2157]: pam_unix(sshd:auth) > > > > > > ## Mapped ids from the domain SAMDOM and (*) the range may not > overlap ! > > idmap config ${VAR_SMB_WORKGROUP} : backend = ad > > idmap config ${VAR_SMB_WORKGROUP} : schema_mode = rfc2307 > > idmap config ${VAR_SMB_WORKGROUP} : range = 10000-3999999 > > There is a big problem with all that, the only way to use sssd with > Samba >= 4.8.0 is to use: > > idmap config ${VAR_SMB_WORKGROUP} : backend = sss > > and not run winbind, you also do not get to use shares, it is > authentication only. It also will not work correctly on a Samba AD DC, > because you cannot change the backend and you cannot stop winbind from > running. I would advise dumping sssd if the OP is using it. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 16/07/2020 22:13, Yakov Revyakin wrote:> Thank you! I have food for tomorrow. Now I only want to voice some of > my considerations. > > Imagine that a domain had no trusts. At this time a PC became a member > of this domain. > After some time DC made trust with another domain. In this case > existing members don't consider?any extra configuration like adding > knowledge?about new realm, DNS, etc. Existing configuration already > provides means of login and session for a user of a trusted domain. > > In my case Linux PC was informed about trusting DNS before joining > the?domain. After setting DNS but before joining the domain I could > authenticate users from both trusting and trusted domains with kinit > without any modifications in krb5.conf. And it is what I was waiting for. > > So, the PC already has a means to authenticate users from both > domains.? How to enable that means? >Are you using sssd ? If you are, then ask on the sssd-users mailing list, because it is sssd that will be doing the authentication, not Samba. We do not produce sssd, so know little about it. If you are not using sssd, then we can look into your problem. Rowland