Hitzler Ronald
2002-May-29 00:39 UTC
[Samba] trusted domains - samba user authentification
Hi! Background: We have a normal NT 4.0 Domain called AIRPORT and a Windows 2000 Domain (server is in mixed mode) called MAIL. Connected to the AIRPORT Domain is a Samba 2.0.6 Server with security = domain. Both domains are trusting each other. I've a little problem understanding the user authentification with the trusted MAIL domain. I'll it explain with a little example: We have a user called "testuser" on both domains (AIRPORT\testuser and MAIL\testuser). If I create a share on the AIRPORT PDC (WINDOWS NT 4.0) for the user "testuser", I can access it from AIRPORT. If I logon to MAIL, I'm not allowed to access it. If I expnad the user rights to MAIL\testuser I can access again. So far no problem. BUT: If I make a samba share (rember: the samba server is using domain security and it's connected to AIRPORT) for our testuser there is no difference which domain I use for login. If I logon to MAIL I also have access to the Samba Share. It looks like samba makes no difference between MAIL\testuser and AIRPORT\testuser. Now my questions: Is it right, that samba doesn't consider the "Domain-Part" of the username if the domains are trusted? Is it a missing feature or "should it be as it is"? Or I am just too stupid to understand the whole trusted-thing? Thanks for your help! --------------------------------------------------------------------------- Ronald Hitzler
I have a similar setup - Multiple domains with trusts, and Samba 2.2.4 instances on Solaris and IRIX joined to a Windows2000 domain. There seems no way in the username.map file to distinguish between users on different domains (trusting each other) with the same username. For example, If I have an entry in the username.map file "fredf flintstone_f", then the NT user flintstone_f in any domain trusted by the domain the samba server is a member of is mapped to the unix user fredf. The good news seems to be that samba does know about domains. Authentication errors reported in log.smbd mention a username, password server _and_ the domain they tried to authenticate against. Anyone else come across the same issue? Is this functionality planned for 2.2.x, or is it in 3.x? Cheers, Gavin Timmins Company Legal Notice: ******************** Pfizer Limited is registered in the UK. Company Number 526209> -----Original Message----- > From: samba-admin@lists.samba.org > [mailto:samba-admin@lists.samba.org]On > Behalf Of Hitzler Ronald > Sent: 29 May 2002 08:35 > To: 'samba@lists.samba.org' > Subject: [Samba] trusted domains - samba user authentification > > > Hi! > > Background: We have a normal NT 4.0 Domain called AIRPORT and > a Windows 2000 > Domain (server is in mixed mode) called MAIL. Connected to the AIRPORT > Domain is a Samba 2.0.6 Server with security = domain. Both > domains are > trusting each other. > > I've a little problem understanding the user authentification with the > trusted > MAIL domain. I'll it explain with a little example: > > We have a user called "testuser" on both domains (AIRPORT\testuser and > MAIL\testuser). If I create a share on the AIRPORT PDC > (WINDOWS NT 4.0) for > the user "testuser", I can access it from AIRPORT. If I logon > to MAIL, I'm > not allowed to access it. If I expnad the user rights to > MAIL\testuser I can > access again. So far no problem. > > BUT: If I make a samba share (rember: the samba server is using domain > security > and it's connected to AIRPORT) for our testuser there is no > difference which > domain > I use for login. If I logon to MAIL I also have access to the > Samba Share. > > It looks like samba makes no difference between MAIL\testuser and > AIRPORT\testuser. > > Now my questions: Is it right, that samba doesn't consider > the "Domain-Part" > of the username if the domains are trusted? > Is it a missing feature or "should it be as it is"? > Or I am just too stupid to understand the whole trusted-thing? > > Thanks for your help! > > -------------------------------------------------------------- > ------------- > Ronald Hitzler > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >