LinuxQuestions.org
Visit Jeremy's Blog.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
Reload this Page allowing trusted domain windows ad user to login to Winbind/Samba/Krb5 domain joined Linux box?
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-01-2018, 06:12 AM   #1
Borked-it
LQ Newbie
 
Registered: May 2018
Posts: 1

Rep: Reputation: Disabled
allowing trusted domain windows ad user to login to Winbind/Samba/Krb5 domain joined Linux box?

Hi, I have a linux box that is joined to a windows domain (DOMAIN.A.local), users from the DOMAIN.A.local can login perfectly. DOMAIN.A.local trusts another domain (DOMAIN.B.local), users from DOMAIN.B.local cannot login, but it deos seem to be able to enumerate the users and groups from DOMAIN.B.local

(windows boxes log with the trusted domain users fine)

Firstly is it actually possible to configure the Linux to allow logins from trusted domains.

Secondly if it is possible what config settings do I need to get it to work.

below is what I currently have configured

smb.config

[global]

work = domain-a
security = ads
allow trusted domain = yes
realm = domain.a.local
password server = dc.domain.a.local
domain logons = no
templates homedir = /home/%D/%U
template shell = /bin/bash
winbind enum groups = yes
winbind enum users = yes
winbind user defualt domain = yes
domain master = no
local masster = no
preferred master = no
os level = 0
idmap config *:backend = tdb
idmap config *:range = 11000-20000
idmap config DOMAIN-A.local:backend = rid
idmap config DOMAIN-A.local:range=10000000-15000000
idmap config DOMAIN-B.local:backend = rid
idmap config DOMAIN-B.local:range=15000001-19000000


krb5.conf

[libdefaults]
default_realm = DOMAIN-A.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwadable = true

[realms]
DOMAIN-A.LOCAL = {
kdc = domain-a.local
admin_server = dc.domain.a.local
}

#commented out as I'm not sure if these are needed
#DOMAIN-B.LOCAL = {
#kdc = domain-a.local
#admin_server = dc.domain.a.local

[domain_realms]
.domain-a.local = DOMAIN-A.LOCAL
domain-a.local = DOMAIN-A.LOCAL

#commented out as I'm not sure if these are needed
#.domain-b.local = DOMAIN-A.LOCAL
#domain-b.local = DOMAIN-A.LOCAL




wbinfo -m
BUILTIN
HOST)
DOMAIN-A
DOMAIN-B

wbinfo --online-status
BUILTIN : online
HOST): online
DOMAIN-A : online
DOMAIN-B : offline

wbinfo -u
admin
guest
krbrgt
aaron


id aaron@domain.a.local
uid=11005 (aaron) guid=11004(domain users) groups=11004(domain users),11001(BUILTIN\users)

id bob@domain.b.local
uid=11007 (domain-b\bob) gid=11024(domain-b\domain users) groups=11024(domain-b\domain users)

any help with this would be greatly appreciated.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Winbind + SMB UID question when joined to AD domain zingoto Linux - Server 1 01-17-2017 10:37 AM
Ubuntu/AD/KRB5/LDAP/NIS able to use domain user login with putty, unable in gui login Nitroglycerine Linux - Server 0 06-28-2012 04:17 AM
Samba 3.0.21a and Samba Domain Member Servers in a Windows 2003 ADS Domain ramz Linux - Networking 3 04-09-2006 08:26 PM
Joined Domain, can't login as domain user mikeyt_333 Linux - Networking 12 08-26-2005 08:25 AM
winbind + samba + gdm unable to login with Domain user theowl Linux - Networking 1 06-11-2004 08:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 12:07 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration