devel@thom.fr.eu.org
2008-May-29 12:59 UTC
[Samba] Trustdom setup and trusted group management
Hello, I did join 2 sites using an IPSEC tunnel, and made one domain trust the other (2 small Samba DC based domains with about 10 users in each) I first had resolving issues until I decided to keep only one WINS server for both networks (though this is still an issue to me because if for any reason the tunnel is broken, I have no longer WINS on one side). Finally here is my setup : Network A 1.1.0.0/16 with Samba DC ServA for domain DomA at ip 1.1.254.254 (which also act as IPSEC gateway and firewall). Network B 2.1.0.0/16 with Samba DC ServB for domain DomB at ip 2.1.254.254 (which also act as IPSEC gateway and firewall). Browsing is Ok (I think) : preferred master = Yes local master = Yes domain master = Yes browse list = Yes enhanced browsing = Yes remote announce = 1.1.254.254 (2.1.254.254 for ServA) remote browse sync = 1.1.254.254 (2.1.254.254 for ServA) ServB is the WINS for both networks. name resolve order = wins host lmhosts bcast wins proxy = Yes wins support = Yes All nodes on both networks configured as peer to peer (0x3). All nodes can access any other whatever the network.>From here, I setup the trustdom : DomA is the trusted domain and DomB thetrusting one. the net rpc trustdom establish DomA ran on ServB returned Unable to join ServA Successfully joined DomA>From here, I setup winbindd on ServB to be able to play with DomA users.idmap domains = DomA idmap alloc backend = tdb template homedir = /home/home/%D/%U template shell = /bin/false winbind separator = \ winbind enum users = Yes winbind enum groups = Yes winbind use default domain = No winbind trusted domains only = No winbind nested groups = Yes winbind nss info = template winbind:rpc only = yes idmap config DomA:range = 4000-4999 idmap config DomA:default = Yes idmap config DomA:backend = tdb idmap alloc config:range = 3000-3999 And here, I have a strange failure : wbinfo -t returns either "checking the trust secret via RPC calls failed error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233) Could not check secret" However nmblookup -R -U 2.1.254.254 DomA#1b gives me 1.1.254.254 DomA#1b, and I can successfully lookup DomA users and groups using both wbinfo -u/g and getent passwd/group But, the ids allocated are not in the range given by idmap config DomA:range = 4000-4999 bu the range in idmap alloc config:range 3000-3999 This is the first thing I trying to fix. The other thing now, is how to grant DomA users rights to access and modify the files/shares/printers from DomB as DomB was so far only managed using domain groups that were mapped from unix groups. Anybody can help -- Fran?ois Legal Message scanned by ClamAV engine (http://www.clamav.net) --------------------------------------------------------
Yeah, I'm baffled by the relationship between domain trusts and WINS. There's some sort of weird dependency there that I can't figure out. lmhosts doesn't seem to help much either. If you have WAN-linked domains with multiple segments (like most medium-to-large businesses) you want to have a WINS server per LAN so that your local networks don't fail every time the phone company fubars your WAN link. This is intuitively obvious, but it contradicts the documentation a little (because the "one WINS server per network" should actually say "one WINS server per LAN" or possibly "one WINS server per domain"). Interdomain trusts haven't worked right for me since smbpasswd went away. There's a sambaTrustPassword attribute in the LDAP schema file distributed by the samba team, but no indications of how to use it, and the "net" toolset doesn't seem to create or modify it. Sorry this post is no help. :( If you figure out what exactly the relationship is between WINS and domain trusts, please post your findings! Thanks, --Charlie On Thu, May 29, 2008 at 8:59 AM, <devel@thom.fr.eu.org> wrote:> Hello, > > I did join 2 sites using an IPSEC tunnel, and made one domain trust the > other (2 small Samba DC based domains with about 10 users in each) > > I first had resolving issues until I decided to keep only one WINS server > for both networks (though this is still an issue to me because if for any > reason the tunnel is broken, I have no longer WINS on one side). > > Finally here is my setup : > > Network A 1.1.0.0/16 with Samba DC ServA for domain DomA at ip 1.1.254.254 > (which also act as IPSEC gateway and firewall). > Network B 2.1.0.0/16 with Samba DC ServB for domain DomB at ip 2.1.254.254 > (which also act as IPSEC gateway and firewall). > > Browsing is Ok (I think) : > > preferred master = Yes > local master = Yes > domain master = Yes > browse list = Yes > enhanced browsing = Yes > remote announce = 1.1.254.254 (2.1.254.254 for ServA) > remote browse sync = 1.1.254.254 (2.1.254.254 for ServA) > > ServB is the WINS for both networks. > > name resolve order = wins host lmhosts bcast > wins proxy = Yes > wins support = Yes > > All nodes on both networks configured as peer to peer (0x3). > All nodes can access any other whatever the network. > > >From here, I setup the trustdom : DomA is the trusted domain and DomB the > trusting one. > > the net rpc trustdom establish DomA ran on ServB returned > Unable to join ServA > Successfully joined DomA > > >From here, I setup winbindd on ServB to be able to play with DomA users. > > idmap domains = DomA > idmap alloc backend = tdb > template homedir = /home/home/%D/%U > template shell = /bin/false > winbind separator = \ > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = No > winbind trusted domains only = No > winbind nested groups = Yes > winbind nss info = template > winbind:rpc only = yes > idmap config DomA:range = 4000-4999 > idmap config DomA:default = Yes > idmap config DomA:backend = tdb > idmap alloc config:range = 3000-3999 > > And here, I have a strange failure : wbinfo -t returns either "checking > the trust secret via RPC calls failed > error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233) > Could not check secret" > However nmblookup -R -U 2.1.254.254 DomA#1b gives me 1.1.254.254 DomA#1b, > and I can successfully lookup DomA users and groups using both wbinfo -u/g > and getent passwd/group > But, the ids allocated are not in the range given by idmap config > DomA:range = 4000-4999 bu the range in idmap alloc config:range > 3000-3999 > > This is the first thing I trying to fix. > > The other thing now, is how to grant DomA users rights to access and > modify the files/shares/printers from DomB as DomB was so far only managed > using domain groups that were mapped from unix groups. > > Anybody can help > > -- > Fran?ois Legal > > > Message scanned by ClamAV engine (http://www.clamav.net) > -------------------------------------------------------- > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >