Aidan Dixon
2006-Dec-17 17:19 UTC
[Samba] Re: Need some guidance re: two domains sharing the same workstations
Hello Matt, I've had similar misfortunes too with interdomain trusts. I think you're working along the right lines since you seem to want to do the same thing as I. However the NT_STATUS_UNSUCCESSFUL is an error I always get when trying to connect to the IPC$ share of the PDC of the trusting domain. In my case the trusting PDC is a Windows 2003 Server. I know it's not an issue of credentials but something else; but I don't know what. Judging by the traffic on this list someone HAS got this to work. Anyone care to comment. Kind regards, -a. samba-request@lists.samba.org wrote:> Subject: > [Samba] Need some guidance re: two domains sharing the same workstations > From: > Matt Hyclak <hyclak@math.ohiou.edu> > Date: > Fri, 15 Dec 2006 09:08:52 -0500 > To: > samba@lists.samba.org > > To: > samba@lists.samba.org > > > I fought with this a few months back, and was never able to resolve it, so > I'm back at it trying to get things to work before classes start again in > January. Here's a brief summary of the situation: > > I am responsible for 2 departments, Math and Socialwork, which are located > in the same building and share the same network. Each department has its own > samba server (RHEL4/CentOS4) and domain MATH and SOCIALWORK, respectively. > > There is one lab which both departments share, so I would like for users in > either domain to be able to log in to the workstation using the credentials > for their own domain. The way to do this *seems* to be with an Interdomain > Trust. > > I have followed the how-to chapter (19. Interdomain Trusts), and configured > the trust. I added a socialwork$ user to the Math LDAP server, and vice > versa. Ran the 'net rpc trustdom establish OTHERDOMAIN' command, and the > relationship is established, however there seems to be a problem with the > "Trusting domains" area. I get the following: > > Trusting domains list: > > [2006/12/15 09:01:02, 0] utils/net_rpc.c:rpc_trustdom_list(4688) > Couldn't enumerate accounts. Error was: NT_STATUS_UNSUCCESSFUL > > > I have googled this error and have seen it come up only a couple times with > no solutions. The relevant sections of smb.conf are as follows: > > ldap suffix = dc=math,dc=ohiou,dc=edu > ldap group suffix = ou=Group > ldap machine suffix = ou=Computers > ldap user suffix = ou=People > ldap idmap suffix = ou=Idmap > ldap admin dn = cn=Manager,dc=math,dc=ohiou,dc=edu > ldap passwd sync = yes > ldap delete dn = no > passdb backend = ldapsam:ldaps://bing.math.ohiou.edu > idmap backend = ldap:ldaps://bing.math.ohiou.edu > > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind use default domain = no > winbind enum groups = yes > winbind enum users = yes > > So, if someone could let me know if I'm moving in the right direction, I'd > really appreciate it, or if there's a better way to do this (putting > everyone in the same LDAP tree? - I'd like to avoid that, but it's a > possibility). > > Thanks in advance, > Matt
Matt Hyclak
2006-Dec-18 20:57 UTC
[Samba] Re: Need some guidance re: two domains sharing the same workstations
On Sun, Dec 17, 2006 at 05:18:47PM +0000, Aidan Dixon enlightened us:> I've had similar misfortunes too with interdomain trusts. I think > you're working along the right lines since you seem to want to do the > same thing as I. > > However the NT_STATUS_UNSUCCESSFUL is an error I always get when trying > to connect to the IPC$ share of the PDC of the trusting domain. In my > case the trusting PDC is a Windows 2003 Server. > > I know it's not an issue of credentials but something else; but I don't > know what. Judging by the traffic on this list someone HAS got this to > work. Anyone care to comment. > > Kind regards, > -a. >In some more diagnosis, here's where I seem to be: The Interdomain Trust relationship works. I can log into a SW computer with a SW account, and browse to MATH servers and see files. If the account name exists in one user database, I can log in with credentials from the other Domain. Specifically, I've got an account (hyclak) which exists in both the MATH and SOCIALWORK domains. I can log into a SW computer with my MATH credentials no problem, but if I use an account that isn't in both domains, I can only log into machines in the associated domain. This leads me to believe either: 1. I need to use a single LDAP tree for all the accounts - feasible, but I'd rather avoid 2. There is some problem with my configuration (winbind?) that is not allowing the accounts to be looked up enough to see if the credentials in the other domain is correct. Can anyone help with 2, or should I just give it up and go with 1? Thanks, Matt> samba-request@lists.samba.org wrote: > > >Subject: > >[Samba] Need some guidance re: two domains sharing the same workstations > >From: > >Matt Hyclak <hyclak@math.ohiou.edu> > >Date: > >Fri, 15 Dec 2006 09:08:52 -0500 > >To: > >samba@lists.samba.org > > > >To: > >samba@lists.samba.org > > > > > >I fought with this a few months back, and was never able to resolve it, so > >I'm back at it trying to get things to work before classes start again in > >January. Here's a brief summary of the situation: > > > >I am responsible for 2 departments, Math and Socialwork, which are located > >in the same building and share the same network. Each department has its > >own > >samba server (RHEL4/CentOS4) and domain MATH and SOCIALWORK, respectively. > > > >There is one lab which both departments share, so I would like for users in > >either domain to be able to log in to the workstation using the credentials > >for their own domain. The way to do this *seems* to be with an Interdomain > >Trust. > > > >I have followed the how-to chapter (19. Interdomain Trusts), and configured > >the trust. I added a socialwork$ user to the Math LDAP server, and vice > >versa. Ran the 'net rpc trustdom establish OTHERDOMAIN' command, and the > >relationship is established, however there seems to be a problem with the > >"Trusting domains" area. I get the following: > > > >Trusting domains list: > > > >[2006/12/15 09:01:02, 0] utils/net_rpc.c:rpc_trustdom_list(4688) > > Couldn't enumerate accounts. Error was: NT_STATUS_UNSUCCESSFUL > > > > > >I have googled this error and have seen it come up only a couple times with > >no solutions. The relevant sections of smb.conf are as follows: > > > > ldap suffix = dc=math,dc=ohiou,dc=edu > > ldap group suffix = ou=Group > > ldap machine suffix = ou=Computers > > ldap user suffix = ou=People > > ldap idmap suffix = ou=Idmap > > ldap admin dn = cn=Manager,dc=math,dc=ohiou,dc=edu > > ldap passwd sync = yes > > ldap delete dn = no > > passdb backend = ldapsam:ldaps://bing.math.ohiou.edu > > idmap backend = ldap:ldaps://bing.math.ohiou.edu > > > > idmap uid = 10000-20000 > > idmap gid = 10000-20000 > > winbind use default domain = no > > winbind enum groups = yes > > winbind enum users = yes > > > >So, if someone could let me know if I'm moving in the right direction, I'd > >really appreciate it, or if there's a better way to do this (putting > >everyone in the same LDAP tree? - I'd like to avoid that, but it's a > >possibility). > > > >Thanks in advance, > >Matt-- Matt Hyclak Department of Mathematics Department of Social Work Ohio University (740) 593-1263