Having set up two way trust between a Samba domain (with LDAP backend) and an AD domain, I find that 1. Users from the trusted domain are authenticated against the proper DC (that is, their regular password works), but only if there is a corresponding local domain user.
2. Users from the trusted domain are being mapped onto Samba/POSIX users associated with the local Samba domain, despite the fact that the correct idmap objects are being created in the directory. If they connect to a share, they connect as the local domain user (although, oddly, they can create new files and directories but not delete old ones). More information: The local domain uses an LDAP backend, with ldapsam:editposix and ldapsam:trusted set. LDAP is used for all domain configs (BUILTIN, OFFICE domain and external domains). Winbind is used on the domain controllers for GID/UID allocation (and for id mappings for foreign domains), but nss_ldap is used on all the servers, DC or member, to provide the POSIX user information via nsswitch.conf. winbind is not currently running on the member servers (not needed for a single domain because of nss_ldap). All this was working perfectly. Adding the domain trust worked flawlessly. Then I tried - on the PDC and BDC only - to try have users from the trusted domain connecting to shares. So I changed nsswitch.conf from passwd: files ldap group: files ldap to passwd: files ldap winbind group: files ldap winbind I added details of the AD domain's PDC to krb5.conf, set the auth user file and restarted winbindd for luck. * "wbinfo -u" and "wbinfo -g" list the trusted domain users and groups. * "getent passwd" returns the trusted users in the list as TRUSTED\user.name. * The idmap OU in the directory now has two dozen entries (the AD domain is only used for one specialist part of the company). So far so good. "getent group" and "getent passwd" shows the TRUSTED domain users have been added and are visible as POSIX users. TRUSTED userr can authenticate to any OFFICE member servers using their own passwords (with the important caveat mentioned abouve). At this point, I'm at something of a loss. I can ssh into the domain controller as TRUSTED\test.user, whether or not there is a corresponding user in the local domain, and the correct UID and GID will be assigned, but I can only connect to Samba as that user if there is a corresponding local domain user and I am then assigned their UID and GID. Can anybody suggest what I may have missed? I can post the relevant domain controller configs. I don't know if it's relevant to this, but winbind keeps trying to write to krb5.conf and being blocked by selinux. Haven't had time to investigate that. -- Bruce I unfortunately do not know how to turn cheese into gold. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba