Sergey Stepanov
2010-Aug-11 14:36 UTC
[Samba] How to configure winbind to work with two domain controllers?
Hello I have two domain controllers on win2k3 (say srv1.domain1 and srv2.domain2) and winbind runnning on 3rd linux server ( When I put "workgroup = domain1" in smb.conf, i can work with domain1 only, i.e. # ntlm_auth --username=dom1user --domain=domain1 --password=goodpassword NT_STATUS_OK: Success (0x0) but with domain2 fails: # ntlm_auth --username=dom2user --domain=domain2 --password=goodpassword NT_STATUS_NO_SUCH_USER: No such user (0xc0000064) When i change workgroup to "workgroup = domain2", the things changed: domain1 fails: # ntlm_auth --username=dom1user --domain=domain1 --password=goodpassword NT_STATUS_NO_SUCH_USER: No such user (0xc0000064) domain2 is ok: # ntlm_auth --username=dom2user --domain=domain2 --password=goodpassword NT_STATUS_OK: Success (0x0) Please, help, how to tell winbind to work with both domain controllers. winbind and ntlm_auth built from RHEL/CENTOS 5.5 srpm: # /usr/bin/ntlm_auth -V Version 3.0.33-3.28 /usr/sbin/winbindd -V Version 3.0.33-3.28 kerberos is not used. sample smb.conf: [global] winbind separator = + winbind use default domain = no winbind enum users = no winbind enum groups = no winbind use default domain = no security = domain encrypt passwords = yes wins support = no enhanced browsing = no domain master = no domain logons = no local master = no preferred master = no name resolve order = lmhosts auth methods = winbind workgroup = domain1 # or domain2 netbios name = SERVER password server = ip1 ip2 * # or without *
Gaiseric Vandal
2010-Aug-11 16:10 UTC
[Samba] How to configure winbind to work with two domain controllers?
You linux server need to be in one domain only. On the windows domain controllers, you can establish trusts between the domains. On your linux server you may need to specify separate idmap parameters for each domain. Based on "man idmap_ad" it might look something like ... idmap domains = Domain1 Domain2 ... idmap config Domain1 : backend = ad idmap config Domain1 : range = 10001-20000 ... idmap config Domain2 : backend = ad idmap config Domain2 : range = 20001-30000 ... On 08/11/2010 10:36 AM, Sergey Stepanov wrote:> Hello > > I have two domain controllers on win2k3 (say srv1.domain1 and > srv2.domain2) and winbind runnning on 3rd linux server ( > > When I put "workgroup = domain1" in smb.conf, i can work with domain1 > only, i.e. > # ntlm_auth --username=dom1user --domain=domain1 --password=goodpassword > NT_STATUS_OK: Success (0x0) > but with domain2 fails: > # ntlm_auth --username=dom2user --domain=domain2 --password=goodpassword > NT_STATUS_NO_SUCH_USER: No such user (0xc0000064) > > When i change workgroup to "workgroup = domain2", the things changed: > domain1 fails: > # ntlm_auth --username=dom1user --domain=domain1 --password=goodpassword > NT_STATUS_NO_SUCH_USER: No such user (0xc0000064) > domain2 is ok: > # ntlm_auth --username=dom2user --domain=domain2 --password=goodpassword > NT_STATUS_OK: Success (0x0) > > Please, help, how to tell winbind to work with both domain controllers. > > winbind and ntlm_auth built from RHEL/CENTOS 5.5 srpm: > # /usr/bin/ntlm_auth -V Version 3.0.33-3.28 > /usr/sbin/winbindd -V > Version 3.0.33-3.28 > > kerberos is not used. > > sample smb.conf: > [global] > winbind separator = + > winbind use default domain = no > winbind enum users = no > winbind enum groups = no > winbind use default domain = no > security = domain > encrypt passwords = yes wins support = no > enhanced browsing = no > domain master = no > domain logons = no > local master = no > preferred master = no > name resolve order = lmhosts > auth methods = winbind > workgroup = domain1 # or domain2 > netbios name = SERVER > password server = ip1 ip2 * # or without * >