Battersby-Cornmell, Robin
2012-Feb-10 11:13 UTC
[Samba] Samba with clients in multiple domains
Dear all, I've not got a good starting point I'm afraid, but I was forced to deploy Samba under pressure of failing hardware so an urgent migration was done. We didn't get the IBM AIX 6.1 supplied one running at all, so we pulled down the samba.org version 3.4.3. We couldn't get that working as we wished, but it did at least share. It has been merrily allowing any request to mount (read-only) the shares. All was well with the function, but obviously it is not appropriate for the sensitive data was are sharing. The setting I had to put in was security=SHARE and on each share, we have guest login allowed. My problem is that our clients are in at least two domains and the server is standalone, i.e. no LDAP or whatever connection set up on the operating system in /etc/netsrv.conf or anything. We are an outsourcing company so we have our servers & users and the client company users all wanting to access the data. I've tried reading the manual pages, but I have to understand much more about security and protocols than I do to get my foot in the door, so to speak. The more I try to find out, the more confused I get. What I have tried has always prevented any access. Great for security, but useless for actually operating the business. It has been parked for quite a while now especially as the failing hardware also allowed guest connections so I had nothing to compare to. I've now forgotten what attempts I have made, but now Internal Audit are on my case to lock it down. Can anyone point me in the right direction? I would prefer to grant access to an Active Directory group of users if that is possible, but then it needs to validate the user on more than one domain......um? My head hurts already. Full config (slightly sanitised) can be posted if this is useful, but I didn't want to flood the thread first off. Robin Liverpool/Blackburn UK Diligenta Limited (No. 5535029) is a subsidiary of Tata Consultancy Services Limited. Diligenta 2 Limited (No. 4087012) is a subsidiary of Diligenta Limited. Both companies are registered in England and have their registered office at Lynch Wood, Peterborough, PE2 6FY and are authorised and regulated by the Financial Services Authority. The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee and access to this e-mail by anyone else is unauthorised. Although this message and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Diligenta Limited or Diligenta 2 Limited for any loss or damage in any way arising from its use. Any views or opinions presented are solely those of the author and do not necessarily represent those of Diligenta Limited or Diligenta 2 Limited. Replies to this e-mail may be monitored for operational or business reasons.
Hello again, first of all do the 2 domains(Windows Domain?) trust each other. Let the samba be a member server of one of the domains: Ex could be: [global] workgroup = yourdomain security = DOMAIN (or ads?) smb ports = 139 ... idmap domains = Domain1 Domain2 ... idmap config Domain1 : backend = ad #(or rid?) idmap config Domain1 : range = 10001-20000 ... idmap config Domain2 : backend = ad #(or rid?) idmap config Domain2 : range = 20001-30000 winbind separator = + If so you can have winbind doing the job for you. Google for winbind 2 domains Good Luck ----------------------------------------------- EDV Daniel M?ller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 T?bingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: mueller at tropenklinik.de Internet: www.tropenklinik.de ----------------------------------------------- -----Urspr?ngliche Nachricht----- Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Battersby-Cornmell, Robin Gesendet: Freitag, 10. Februar 2012 12:13 An: 'samba at lists.samba.org' Betreff: [Samba] Samba with clients in multiple domains Dear all, I've not got a good starting point I'm afraid, but I was forced to deploy Samba under pressure of failing hardware so an urgent migration was done. We didn't get the IBM AIX 6.1 supplied one running at all, so we pulled down the samba.org version 3.4.3. We couldn't get that working as we wished, but it did at least share. It has been merrily allowing any request to mount (read-only) the shares. All was well with the function, but obviously it is not appropriate for the sensitive data was are sharing. The setting I had to put in was security=SHARE and on each share, we have guest login allowed. My problem is that our clients are in at least two domains and the server is standalone, i.e. no LDAP or whatever connection set up on the operating system in /etc/netsrv.conf or anything. We are an outsourcing company so we have our servers & users and the client company users all wanting to access the data. I've tried reading the manual pages, but I have to understand much more about security and protocols than I do to get my foot in the door, so to speak. The more I try to find out, the more confused I get. What I have tried has always prevented any access. Great for security, but useless for actually operating the business. It has been parked for quite a while now especially as the failing hardware also allowed guest connections so I had nothing to compare to. I've now forgotten what attempts I have made, but now Internal Audit are on my case to lock it down. Can anyone point me in the right direction? I would prefer to grant access to an Active Directory group of users if that is possible, but then it needs to validate the user on more than one domain......um? My head hurts already. Full config (slightly sanitised) can be posted if this is useful, but I didn't want to flood the thread first off. Robin Liverpool/Blackburn UK Diligenta Limited (No. 5535029) is a subsidiary of Tata Consultancy Services Limited. Diligenta 2 Limited (No. 4087012) is a subsidiary of Diligenta Limited. Both companies are registered in England and have their registered office at Lynch Wood, Peterborough, PE2 6FY and are authorised and regulated by the Financial Services Authority. The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee and access to this e-mail by anyone else is unauthorised. Although this message and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Diligenta Limited or Diligenta 2 Limited for any loss or damage in any way arising from its use. Any views or opinions presented are solely those of the author and do not necessarily represent those of Diligenta Limited or Diligenta 2 Limited. Replies to this e-mail may be monitored for operational or business reasons. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Hi Robin,> I've not got a good starting point I'm afraid, but I was forced to deploy Samba under pressure of failing hardware so an urgent migration was done. We didn't get the IBM AIX 6.1 supplied one running at all, so we pulled down the samba.org version 3.4.3. We couldn't get that working as we wished, but it did at least share. It has been merrily allowing any request to mount (read-only) the shares. All was well with the function, but obviously it is not appropriate for the sensitive data was are sharing. The setting I had to put in was security=SHARE and on each share, we have guest login allowed. > > My problem is that our clients are in at least two domains and the server is standalone, i.e. no LDAP or whatever connection set up on the operating system in /etc/netsrv.conf or anything. We are an outsourcing company so we have our servers& users and the client company users all wanting to access the data. > > I've tried reading the manual pages, but I have to understand much more about security and protocols than I do to get my foot in the door, so to speak. The more I try to find out, the more confused I get. What I have tried has always prevented any access. Great for security, but useless for actually operating the business. > > It has been parked for quite a while now especially as the failing hardware also allowed guest connections so I had nothing to compare to. I've now forgotten what attempts I have made, but now Internal Audit are on my case to lock it down. Can anyone point me in the right direction? I would prefer to grant access to an Active Directory group of users if that is possible, but then it needs to validate the user on more than one domain......um? > > My head hurts already. > > Full config (slightly sanitised) can be posted if this is useful, but I didn't want to flood the thread first off.documentation on the web is fine for configuring kerberos/smb/winbind for one domain, but I also found it hard to getthe sid/uid mapping right in a multiple domain environment. Idmap has changed so many times since smb 3.0 that it is hard to know which doc is fine... I hope the 3.6 way will be the definitive one :-) Here is a smb.conf that I is working fine with two domain. servera is joined to AD kerberos DOMA.LOCAL. There is interdomain trust with DOMB.LOCAL. ==================[global] security = ads realm = DOMA.LOCAL password server = 192.168.123.11 workgroup = DOMA winbind separator = + idmap backend = tdb idmap uid = 1000000-1999999 idmap gid = 1000000-1999999 idmap config DOMA : backend = rid idmap config DOMA : range = 10000 - 49999 idmap config DOMB : backend = rid idmap config DOMB : range = 50000 - 99999 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 wins server = 192.168.123.11 printcap name = /etc/printcap load printers = no [myshare] path = /home/myshare guest ok= no write list= @"group1" @"DOMB+group2" writeable = yes force create mode = 0770 ============== Hope this helps, Denis Cardon> > Robin > Liverpool/Blackburn > UK > > Diligenta Limited (No. 5535029) is a subsidiary of Tata Consultancy Services Limited. Diligenta 2 Limited (No. 4087012) is a subsidiary of Diligenta Limited. > Both companies are registered in England and have their registered office at Lynch Wood, Peterborough, PE2 6FY and are authorised and regulated by the Financial Services Authority. > > The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee and access to this e-mail by anyone else is unauthorised. Although this message and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Diligenta Limited or Diligenta 2 Limited for any loss or damage in any way arising from its use. Any views or opinions presented are solely those of the author and do not necessarily represent those of Diligenta Limited or Diligenta 2 Limited. Replies to this e-mail may be monitored for operational or business reasons.-- Denis Cardon Tranquil IT Systems 44 bvd des pas enchant?s 44230 Saint S?bastien sur Loire tel : +33 (0) 2.40.97.57.57 http://www.tranquil-it-systems.fr