Robert Kelly
2005-Jun-14 20:30 UTC
[Samba] Proper behavior of Interdomain Trust uid mappings
Hi there, I'm running Samba 3.0.14a-sernet on Suse 9.1 using ldapsam. I've got an interdomain trust setup across a vpn connection with a 2k3sp1 domain (DOMB). The trust works. What is strange is that a user from DOMB can't access any shares until they browse a share on our domain controller, say netlogon, then samba creates a new posix account for them in the ou=users base. I have nsswitch.conf using ldap, and samba configured to use winbind as per the howto. Same wins etc. What isn't clear to me is why the user account gets created as a regular account and not in the ou=idmap base. Shouldn't just a sambaIdmapEntry object be created in ou=IdMap and not a posixaccount in ou=users? The account gets created with a uid from the regular users range not from the idmap uid range and still gets created when winbind is stopped. I've read Chapter 18. Interdomain Trust Relationships over and over again, but need some suggestions on the correct way to setup winbind on a domain controller when using a trust. Any clues? Thanks, Rob
Ian Clancy
2005-Jun-14 23:27 UTC
[Samba] Proper behavior of Interdomain Trust uid mappings
Robert Kelly wrote:>Hi there, >I'm running Samba 3.0.14a-sernet on Suse 9.1 using ldapsam. >I've got an interdomain trust setup across a vpn connection with a >2k3sp1 domain (DOMB). >The trust works. > >Robert, I have a similar setup to yourself except i have 2 samba domains accross a VPN.>What is strange is that a user from DOMB can't access any shares until >they browse a share on our domain controller, say netlogon, then samba >creates a new posix account for them in the ou=users base. > >I spent quite a while myself trying to figure this out. I'm not sure if what i have done is correct but in nsswitch.conf i have : ---- passwd: files ldap winbind shadow: files ldap winbind group: files ldap winbind ----- winbind is used to give the foreign sid's from the trusted domain uid on your PDC or Domain member Server>I have nsswitch.conf using ldap, and samba configured to use winbind as >per the howto. Same wins etc. >What isn't clear to me is why the user account gets created as a regular >account and not in the ou=idmap base. > > >I had this same problem until i added winbind to the nsswitch.conf file. Can you see the users from the trusted domain when you enter 'wbinfo -u ' at the shell ?>Shouldn't just a sambaIdmapEntry object be created in ou=IdMap and not a >posixaccount in ou=users? >The account gets created with a uid from the regular users range not >from the idmap uid range and still gets created when winbind is stopped. > >I've read Chapter 18. Interdomain Trust Relationships over and over >again, but need some suggestions on the correct way to setup winbind on >a domain controller when using a trust. > >Any clues? > > >The book is not very clear on this. It took me some time to figure it out>Thanks, >Rob > > >-- Ian Clancy IT Systems Engineer Connaught Electronics Ltd. Dunmore Rd, Tuam, Co. Galway, Ireland. P : ++353 93 23151 F : ++353 93 23110 E : mailto:clancyian@cel.ie W : cel-europe.com