Jonathan Johnson
2007-Jul-10 21:30 UTC
[Samba] Domain member, security = ADS|domain and trusts with NT4
I presently have a Samba server (3.0.21b) set up as a member server in an NT4 domain (with a real Windows NT4 PDC). We are migrating to an Active Directory domain (with a real Windows 2003 domain controller). We have set up a two-way trust between the old NT4 domain "CLUNKY" and the new ADS domain "SLEEK" (aka sleek.local). The Samba server is a member of the CLUNKY domain (security = domain) and authentication is against the PDC for the CLUNKY domain. How can I ensure that users in both CLUNKY and SLEEK can access the Samba server? Will joining the Samba server to SLEEK with security = ADS allow this? Will Samba honor the domain trust? -Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com
Jonathan Johnson
2007-Jul-12 19:27 UTC
[Samba] Domain member, security = ADS|domain and trusts with NT4
After extensive testing, the answer I come up with is "yes, and no." Jonathan Johnson wrote:> I presently have a Samba server (3.0.21b) set up as a member server in > an NT4 domain (with a real Windows NT4 PDC). We are migrating to an > Active Directory domain (with a real Windows 2003 domain controller). > > We have set up a two-way trust between the old NT4 domain "CLUNKY" and > the new ADS domain "SLEEK" (aka sleek.local). The Samba server is a > member of the CLUNKY domain (security = domain) and authentication is > against the PDC for the CLUNKY domain. > > How can I ensure that users in both CLUNKY and SLEEK can access the > Samba server? Will joining the Samba server to SLEEK with security = > ADS allow this? Will Samba honor the domain trust?If a share is not restricted with "valid users =", then the user in SLEEK can access the share on the Samba server in CLUNKY. However, if you have restrictions on the share such as valid users = @CLUNKY+sales, CLUNKY+fred then the user 'fred' in the SLEEK domain will NOT be able to access. You can grant SLEEK+fred access by modifying: valid users = @CLUNKY+sales, CLUNKY+fred, SLEEK+fred so it appears that you can add users in trusted domains to the 'valid users =' directive. However, groups of trusted domains don't work: valid users = @CLUNKY+sales, @SLEEK+sales If 'fred' is a member of the group SLEEK+sales, fred will NOT have access (assuming the Samba server is in the CLUNKY domain). -Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com
Possibly Parallel Threads
- BUG? 'valid users' doesn't allow groups from trusted domains
- Migrating from NT4 PDC to Windows 2003 ADS; Samba as member server
- Inclusion of libnss_wins in vendor distros?
- Using Winbindd in nsswitch.conf
- Browsing with duplicate names in multiple workgroups/subnets and multihome machines