Vaughan, Robert J
2024-Nov-12 17:20 UTC
[Samba] Accessing Samba domain member shares from trusted domain
Hi Ralph So in my situation where the AD trust is one-way, not transitive, and the trusting domain is external, and both domains are AD (Kerberos only, no NTLM)? This should all work for a Samba server domain member in the trusting domain sharing to the trusted domain, where the Samba server cannot see the trusted domain DC/KDC? Thanks, Rob -----Original Message----- From: Ralph Boehme <slow at samba.org> Sent: Tuesday, November 12, 2024 10:22 AM To: Vaughan, Robert J <vaughar2 at gdls.com>; samba at lists.samba.org Subject: Re: [Samba] Accessing Samba domain member shares from trusted domain On 11/12/24 3:06 PM, Vaughan, Robert J via samba wrote:> It's not a straight forward task it seems.it is. Read page 14 ff, ignore the rest as it applies to Samba as an AD DC. -slow -- SerNet Samba Team Lead https://sernet.de/ Samba Team Member https://samba.org/ SAMBA+ packages https://samba.plus/ ---------------------------------------------------------------------- This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.
Ralph Boehme
2024-Nov-12 17:25 UTC
[Samba] Accessing Samba domain member shares from trusted domain
On 11/12/24 6:20 PM, Vaughan, Robert J via samba wrote:> So in my situation where the AD trust is one-way, not transitive, > and the trusting domain is external, and both domains are AD > (Kerberos only, no NTLM)? > > This should all work for a Samba server domain member in the > trusting domain sharing to the trusted domain, where the Samba > server cannot see the trusted domain DC/KDC?yes. I would make sure to use "winbind scan trusted domains = yes" and ignore the wbinfo -m and --online-status stuff. As a domain member, we should only ever talk to a DC of our primary domain and with "winbind scan trusted domains = yes" that's exactly how we will behave. Trusted domains are added to our internal list of known domains when a user from a trusted domains authenticates and will then start appearing in the wbinfo commands, but not otherwise. -slow -- SerNet Samba Team Lead https://sernet.de/ Samba Team Member https://samba.org/ SAMBA+ packages https://samba.plus/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20241112/735d76b6/OpenPGP_signature.sig>