Carlos Eduardo Pedroza Santiviago
2006-May-11 11:42 UTC
[Samba] Trust relationship and LDAP backend
Hi, I have a domain using LDAP backend, and recently we've managed to establish a trust relation with another domain in our network, which uses a pure NT4 server. After that, some accounts from the trusted domain started being created in our base. The user created doesn't have the same attributes as a valid user (he doesn't have sambaSamAccount, for example). But for auditing purposes, this shouldn't happen. Is this a normal behaviour?
On Thu, 2006-05-11 at 08:42 -0300, Carlos Eduardo Pedroza Santiviago wrote:> Hi, > > I have a domain using LDAP backend, and recently we've managed to establish > a trust relation with another domain in our network, which uses a pure NT4 > server. After that, some accounts from the trusted domain started being > created in our base. The user created doesn't have the same attributes as a > valid user (he doesn't have sambaSamAccount, for example). But for auditing > purposes, this shouldn't happen. > > Is this a normal behaviour?if you don't use winbindd (nss_winbindd) it is. Samba needs a posix user to be able to accept any login on the server. if you run winbindd in trusted domain only mode then it will create posix accounts for you on the fly (allocating them out of the idmap uid range). If you do not provide corresponding posix accounts for trusted users then samba will try to create users in the local account storage by means of the add user account scripts. (But it will not populate them with windows account attributes because they are not local accounts, and all the information is retrieved by the remote trusted server). I recommend you to use winbindd in such environment, it will not only keep your ldap tree clear but it will also act as a connection proxy and will lessen the oad on your DCs as well do some caching. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: idra@samba.org http://samba.org
Carlos Eduardo Pedroza Santiviago
2006-May-13 09:55 UTC
[Samba] Trust relationship and LDAP backend
Hi, I have a domain using LDAP backend, and recently we've managed to establish a trust relation with another domain in our network, which uses a pure NT4 server. After that, some accounts from the trusted domain started being created in our base. The user created doesn't have the same attributes as a valid user (he doesn't have sambaSamAccount, for example). But for auditing purposes, this shouldn't happen. Is this a normal behaviour?