Greetings, I want to use winbind in conjunction with nsswitch in a pretty large AD. I would like winbind to only map users in the default domain. As it is, winbind map users in other trusted domain of the AD too, which is *not* what I want. I am not sure I made myself very clear, so here is an example. Let's say I have an AD called ACME.COM. There are the domains PROD.ACME.COM and ADMIN.ACME.COM in this AD. I made my Samba server join the PROD.ACME.COM domain. When I have nsswitch.conf configured correctly, "getent passwd@ return all the users in both domains. I would prefer it return only users in the PROD.ACME.COM domain, and not those in ADMIN.ACME.COM. Is that possible ? I know about "winbind enum users" and "winbind enum groups", but this is not what I want. I do not want account outside the default domain to be valid on my this server for services other than Samba. I am running Samba 3.0.10 on RHEL 4. Thanks a lot ! Etienne Goyer
Etienne Goyer wrote:> Greetings, > > I want to use winbind in conjunction with nsswitch in a pretty large AD. > I would like winbind to only map users in the default domain. As it > is, winbind map users in other trusted domain of the AD too, which is > *not* what I want. > > I am not sure I made myself very clear, so here is an example. Let's > say I have an AD called ACME.COM. There are the domains PROD.ACME.COM > and ADMIN.ACME.COM in this AD. I made my Samba server join the > PROD.ACME.COM domain. When I have nsswitch.conf configured correctly, > "getent passwd@ return all the users in both domains. I would prefer it > return only users in the PROD.ACME.COM domain, and not those in > ADMIN.ACME.COM. Is that possible ? > > I know about "winbind enum users" and "winbind enum groups", but this is > not what I want. I do not want account outside the default domain to be > valid on my this server for services other than Samba. > > I am running Samba 3.0.10 on RHEL 4. > > Thanks a lot ! > > Etienne Goyer >please have a look at "allow trusted domains" -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137
Talwar, Puneet (NIH/NIAID)
2005-May-18 15:59 UTC
[Samba] Re: Restricting winbind to the default domain
I would like to know if I am able to run wbinfo -u and -g option, it works successfully. But when I try to connect from a Win XP box, it say it is not able to connect to the domain controller or access denied. Can you guys help me with this problem? Thanks, -----Original Message----- From: John H Terpstra [mailto:jht@Samba.Org] Sent: Wednesday, May 18, 2005 11:06 AM To: samba@lists.samba.org Subject: Re: [Samba] Re: Restricting winbind to the default domain On Wednesday 18 May 2005 06:53, Etienne Goyer wrote:> Michael Gasch wrote:> > Etienne Goyer wrote:> >> I want to use winbind in conjunction with nsswitch in a pretty largeAD.> >> I would like winbind to only map users in the default domain. As it> >> is, winbind map users in other trusted domain of the AD too, which is> >> *not* what I want.> >> [...snip...]> >> > please have a look at "allow trusted domains">> Thank you very much sir, this is precisely what I need.>> It is worth noting that the smb.conf(5) man page have the following to> say regarding this directive :>> "This option only takes effect when the security option is set to> server or domain.">> This is incorrect, as I am running with "security = ads", and it> apparently do the right thing. I'll try to contact the maintainer of> this man page on the subject.Thanks for mentioning this. It has been fixed now. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
John H Terpstra
2005-May-18 16:05 UTC
[Samba] Re: Restricting winbind to the default domain
On Wednesday 18 May 2005 09:58, Talwar, Puneet (NIH/NIAID) wrote:> I would like to know if I am able to run wbinfo -u and -g option, it works > successfully. But when I try to connect from a Win XP box, it say it is > not able to connect to the domain controller or access denied. > > Can you guys help me with this problem?What is the output of the following?: net rpc testjoin net rpc info - John T.