2

I've got an AD domain joined Ubuntu 22.04 server. I need to be able to logon to it using credentials from a trusted domain that is attached to the AD domain that the server is a member of. Logon is not working using the trusted domain credentials. The following packages are installed:

winbind, krb5-user, sssd-ad, samba

The domains are domain1.org and domain2.local. domain1.org is the domain that my server is joined to, and domain2.local is the trusted domain.

I can log on using domain1.org creds, and all the following commands work:

ping domain1.org
ping domain2.local

id [email protected]
id [email protected]
wbinfo -i [email protected]
wbinfo -i [email protected]

wbinfo -n [email protected]
net cache flush
wbinfo --sid-to-uid <SID returned in the wbinfo -n command>

I am not able to logon to this Ubuntu server using domain2.local creds. I do have a Rocky Linux server that is set up pretty much the same way as this one, and I am able to logon using domain2.local creds.

Here are the samba, sssd, nsswitch, and krb5 configs:

/etc/samba/smb.conf

[global]
workgroup = DOMAIN1
realm = DOMAIN1.ORG
netbios name = MYTEST
security = ads
server signing = mandatory
client signing = mandatory
client lanman auth = no
min protocol = SMB2
client min protocol = SMB2
client max protocol = SMB3

restrict anonymous = 2
os level = 0
preferred master = no
local master = no
domain master = no

kerberos method = secrets and keytab

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
template homedir = /home/%D/%U
template shell = /bin/bash

map acl inherit = yes
nt acl support = yes
inherit acls = Yes
acl group control = yes

log level = 10
max log size = 10
log file = /var/log/samba/samba.log

winbind use default domain = yes
idmap config * : range = 1100-65534
idmap config * : backend = tdb
idmap config * : backend = autorid
idmap config * : range = 1000000-999999999

/etc/sssd/conf.d/sssd.conf

[sssd]
config_file_version = 2
domains = DOMAIN1.ORG
reconnection_retries = 3
services = nss, pam, ssh, autofs

[domain/DOMAIN1.ORG]
#debug_level = 9
ad_hostname = mytest.domain1.org
id_provider = ad
auth_provider = ad
access_provider = ad
override_homedir = /home/%d/%u
default_shell = /bin/bash
cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = DOMAIN1.ORG
fallback_homedir = /home/%u/%d
ad_domain = domain1.org
use_fully_qualified_names = False
case_sensitive = False
ad_gpo_ignore_unreadable = True
dyndns_update = true
dyndns_refresh_interval = 43200
ad_update_samba_machine_account_password = True

[nss]
filter_users = root

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

/etc/nsswitch.conf

passwd:         files winbind systemd sss
group:          files winbind systemd sss
shadow:         files sss
gshadow:        files

hosts:          files resolve dns
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
automount:      sss

/etc/krb5.conf

[logging]
   default = FILE:/var/log/krb5.log

[libdefaults]
   default_realm = DOMAIN1.ORG
   dns_lookup_realm = true
   dns_lookup_kdc = true
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true
   udp_preference_limit = 1

I appreciate any and all comments and/or assistance. Thanks!

Improve this question
2
  • 1
    The actual error message might be helpful. Commented Apr 6, 2023 at 3:47
  • The error is "access denied" Commented Apr 6, 2023 at 3:57

1 Answer 1

Reset to default
1

First of all,

apt-get purge sssd

There is no point in running both sssd and winbind, and you need winbind for the trusts.

Second, fix your smb.conf. This is wrong:

winbind use default domain = yes
idmap config * : range = 1100-65534
idmap config * : backend = tdb
idmap config * : backend = autorid
idmap config * : range = 1000000-999999999

The last two lines override the two above them and you cannot use winbind use default domain = yes with the autorid idmap backend. Remove the top three lines above and provided the required trusts are in place, it should work.

Improve this answer
3
  • Hi and welcome to the site. I saw the comments in your original post about not being able to ask and that's odd: there is no reputation requirement for asking or answering questions. There is a minimum rep for commenting as a spam prevention measure, but not for asking/answering. As for not being able to register, that is particularly weird. Unfortunately, I can't help there (I'm a mod, but mods don't have access to login logs), could you maybe us unix.stackexchange.com/contact to let the admins know? Could it be getting lost as spam? Commented Apr 7, 2023 at 11:23
  • Thank you for the smb.conf info. It turns out that I had to install libpam-winbind and libnss-winbind, and then it started working. I also had to remove sssd, as you suggested. Commented Apr 8, 2023 at 21:32
  • They are the links between Samba and nsswitch and you will not get any user or groups without them. Commented Apr 10, 2023 at 9:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.