In reading the documentation I havn't found anything that covers the use of winbindd when authenticating against one domain (lets call it 'A') while also allowing users from a domain trusted by A (lets call it 'B'). My linux box is a member server in domain A which is a new domain we are working on transitioning to. We are not renaming because 2k server doesn't have that ability. Domain B is the old domain half of the users are still using. I want the users in domain B to be able to use shares on the linux box. On my linux box I can use wbinfo -u to get a list of users in domain A, but I only get machine accounts listed in domain B. How can I get winbind to be able to authenticate users in both domains not just users in one and machine accounts in the trusted? Also, if this is covered in the manual and I have just missed it please let me know where it is. I have been searching for a while. Shaun -- If more of us valued food and cheer and song above hoarded gold, it would be a merrier world. -- J.R.R. Tolkien
On Wednesday 23 November 2005 14:03, Shaun Kruger wrote:> In reading the documentation I havn't found anything that covers the use of > winbindd when authenticating against one domain (lets call it 'A') while > also allowing users from a domain trusted by A (lets call it 'B').What documentation have you read so far? - John T.> My linux box is a member server in domain A which is a new domain we are > working on transitioning to. We are not renaming because 2k server doesn't > have that ability. Domain B is the old domain half of the users are still > using. I want the users in domain B to be able to use shares on the linux > box. On my linux box I can use wbinfo -u to get a list of users in domain > A, but I only get machine accounts listed in domain B. > > How can I get winbind to be able to authenticate users in both domains not > just users in one and machine accounts in the trusted? > > Also, if this is covered in the manual and I have just missed it please let > me know where it is. I have been searching for a while.
On Wednesday 23 November 2005 14:34, you wrote:> On 11/23/05, John H Terpstra <jht@samba.org> wrote: > > On Wednesday 23 November 2005 14:03, Shaun Kruger wrote: > > > In reading the documentation I havn't found anything that covers the > > > use of winbindd when authenticating against one domain (lets call it > > > 'A') while also allowing users from a domain trusted by A (lets call it > > > 'B'). > > > > What documentation have you read so far? > > I've been spending alot of time with the Samba howto collection > http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/ > I've been reading about domain membership and winbinddOK. So perhaps are you delving head-first into the mechanic's guide before you have mastered deployment? The book, "Samba-3 by Example" is designed to help people to deploy Samba-3 BEFORE they start to tinker with its arkane features. (see http://www.samba.org/samba/docs/Samba3-ByExample.pdf) Having a working system before tinkering makes it easier to observe the effects of change, and thus aides and accelerates learning. Chapter 7 of the ByExample book provides information on adding Samba servers that are domain members. Mastery of domain member servers will help you with interdomain trust handling. In any case, the Samba3-HOWTO (aka Samba3-HOWTO-Collection) (see http://www.samba.org/samba/docs/Samba3-HOWTO.pdf) has a few chapters you will need to refer to: Chapter 18 describes how interdomain trusts can be established - create interdomain trusts so that users from one domain can access resources in a foreign domain. Chapter 11 describes group management concepts. Chapter 12 describes the use of the 'net' command - you will need to establish nested groups that will be used to permit users from trusted domains to access resources that are used in the trusting domain. If you do not do this, foreign domain users and groups will operate with independent UID/GID date thus necessitating relaxation of UNIX file system permissions so that local and foreign users can access the same resources. Chapter 13 describes IDMAP functionality - your foreign user and group SIDs must be translated to locally known UID/GID values - that is the role of winbind. However it can also be done without winbind - in that case the accounts must be capable of being resolved locally on the Samba server. Chapter 14 describes user rights and privileges - remote administration of a foreign domain is possible only through use of these facilities that were new to Samba 3.0.11. Above all, you need to understand how in a pure Windows NT/200x world interdomain trusts are used. My documentation does not try to impart that knowledge. I am the first to admit that the HOWTO does not provide a neatly integrated guide to setting up a domain member server, nor does it provide a detailed document to describe use of interdomain file and directory access. I'd much appreciate it if someone would contribute a well documented chapter on these subjects. Despite all this, I strongly believe that the domain controller, backup domain controller and domain membership chapters in the HOWTO are in need of restructuring. I am working on the next generation documentation that will ulitmately replace these chapters - I just do not know when this will be implemented due to other priorities. I believe that the "Samba-3 by Example" is the best place for deployment guidance and that the HOWTO should stick to explanation of how Samba features function and can be used. The purpose of the HOWTO is NOT to provide documented deployment guidance. It is my intent to put further examples of use into the Samba-3 by Example book. - John T.
I would be interested in contributing, but I have oh so many questions, once I understand, I will document what I know. For myself, I am totally not interested in ANY NT style domain functionality, but rather full 100% pure Active Directory integration. I am now exploring PADL stuff and Kerberos stuff along with either AD4Unix or SFU3.5. However, I am concerned over PADL's lack of caching and I'm interested in winbindd. I'm also interested in automation of UID/GID generation perhaps with IDMAP. I would want them written back to AD LDAP, rather than a separate database. I don't know if it does this already. I would also be interested in developing my own scheme to how UID/GID are generated in correlation to SID, so I might avoid IDMAP (or change it, mumuhuhuhaha). - Joaquin Menchaca -----Original Message----- From: samba-bounces+letz_samba=realmspace.com@lists.samba.org [mailto:samba-bounces+letz_samba=realmspace.com@lists.samba.org] On Behalf Of John H Terpstra Sent: Wednesday, November 23, 2005 2:25 PM To: Shaun Kruger Cc: samba@samba.org Subject: Re: [Samba] winbind auth using ADS with domain trusts On Wednesday 23 November 2005 14:34, you wrote:> On 11/23/05, John H Terpstra <jht@samba.org> wrote: > > On Wednesday 23 November 2005 14:03, Shaun Kruger wrote: > > > In reading the documentation I havn't found anything that coversthe> > > use of winbindd when authenticating against one domain (lets callit> > > 'A') while also allowing users from a domain trusted by A (letscall it> > > 'B'). > > > > What documentation have you read so far? > > I've been spending alot of time with the Samba howto collection > http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/ > I've been reading about domain membership and winbinddOK. So perhaps are you delving head-first into the mechanic's guide before you have mastered deployment? The book, "Samba-3 by Example" is designed to help people to deploy Samba-3 BEFORE they start to tinker with its arkane features. (see http://www.samba.org/samba/docs/Samba3-ByExample.pdf) Having a working system before tinkering makes it easier to observe the effects of change, and thus aides and accelerates learning. Chapter 7 of the ByExample book provides information on adding Samba servers that are domain members. Mastery of domain member servers will help you with interdomain trust handling. In any case, the Samba3-HOWTO (aka Samba3-HOWTO-Collection) (see http://www.samba.org/samba/docs/Samba3-HOWTO.pdf) has a few chapters you will need to refer to: Chapter 18 describes how interdomain trusts can be established - create interdomain trusts so that users from one domain can access resources in a foreign domain. Chapter 11 describes group management concepts. Chapter 12 describes the use of the 'net' command - you will need to establish nested groups that will be used to permit users from trusted domains to access resources that are used in the trusting domain. If you do not do this, foreign domain users and groups will operate with independent UID/GID date thus necessitating relaxation of UNIX file system permissions so that local and foreign users can access the same resources. Chapter 13 describes IDMAP functionality - your foreign user and group SIDs must be translated to locally known UID/GID values - that is the role of winbind. However it can also be done without winbind - in that case the accounts must be capable of being resolved locally on the Samba server. Chapter 14 describes user rights and privileges - remote administration of a foreign domain is possible only through use of these facilities that were new to Samba 3.0.11. Above all, you need to understand how in a pure Windows NT/200x world interdomain trusts are used. My documentation does not try to impart that knowledge. I am the first to admit that the HOWTO does not provide a neatly integrated guide to setting up a domain member server, nor does it provide a detailed document to describe use of interdomain file and directory access. I'd much appreciate it if someone would contribute a well documented chapter on these subjects. Despite all this, I strongly believe that the domain controller, backup domain controller and domain membership chapters in the HOWTO are in need of restructuring. I am working on the next generation documentation that will ulitmately replace these chapters - I just do not know when this will be implemented due to other priorities. I believe that the "Samba-3 by Example" is the best place for deployment guidance and that the HOWTO should stick to explanation of how Samba features function and can be used. The purpose of the HOWTO is NOT to provide documented deployment guidance. It is my intent to put further examples of use into the Samba-3 by Example book. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba