Join Log in
Score:0
palani vel avatar Server

Trusted domain (AD) users Unable to Login SLES server using Winbind

gb flag
palani vel

There are two domains (Different Active directory-2019 forest), abc.com (Default domain) and xyzde5.com (trusted domain), One way incoming trust to xyzde5.com and outgoing trust from abc.com we can login default domain users (abc.com) in the SLES 15 SP2 Clint server(abc.com). , but unable to access trusted domain users (xyzde5.com) from same SLES client server. however we could able to login trusted users in the windows client system. only issue in the SLES clients.

Note: Also we need to user the UUID and GID reflect from active directory only. (With in default domain everything working fine, similar kind of solution looking for trusted domain users)

Do we need to open any port number from Default domain member SLES to trusted domain xyzde5.com ? and any additional configuration need for trusted user login working? please advice on this! Thanks in advance!

We could find the following error message in the winbindd.log

error message: Could not convert sid S-1-5-21-1090010102-1892896508-1865459154-1106: NT_STATUS_NO_SUCH_USER

above SID matching with trusted domain user.

Please find the Windind configuration as follows:

smb.conf`

[global]
workgroup = abc
realm = ABC.COM
usershare allow guests = YES
idmap config * : backend = tdb
idmap config * : range = 5000000-5999999
idmap config  ABC : backend = ad
idmap config  ABC : range = 10-9999
idmap config  ABC : schema_mode = rfc2307
idmap config  ABC : unix_nss_info = yes

idmap config  XYZDE5 : backend = ad
idmap config  XYZDE5 : range = 10000-19999
idmap config  XYZDE5 : schema_mode = rfc2307
idmap config  XYZDE5 : unix_nss_info = yes
kerberos method = secrets and keytab
security = ADS
template homedir = /home/%U
template shell = /bin/bash
winbind offline logon = yes
log file = /var/log/samba/%m.log
log level = 5
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

winbind use default domain = yes

winbind enum groups = yes
winbind nested groups = no
winbind expand groups = 2
winbind enum users = yes
winbind refresh tickets = yes
winbind separator = +
client use spnego = yes

krb5.conf

    includedir  /etc/krb5.conf.d
[libdefaults]
default_realm = abc.com
clockskew = 300
[realms]
abc.com = {
    kdc = adserver001.abc.com
    default_domain = abc.com
    admin_server = adserver001.abc.com
}
xyzde5.com = {
    kdc = trustad001.xyzde5.com
    admin_server = trustad001.xyzde5.com
}
[domain_realm]
abc.com = abc.com
.abc.com = abc.com
xyzde5.com = xyzde5.com
.xyzde5.com = xyzde5.com
[appdefaults]
pam = {
    ticket_lifetime = 1d
    renew_lifetime = 1d
    forwardable = true
    proxiable = false
    minimum_uid = 1
}
52
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.