samba - May 2008 - Trustdom setup and trusted group management

Hello,

I did join 2 sites using an IPSEC tunnel, and made one domain trust the
other (2 small Samba DC based domains with about 10 users in each)

I first had resolving issues until I decided to keep only one WINS server
for both networks (though this is still an issue to me because if for any
reason the tunnel is broken, I have no longer WINS on one side).

Finally here is my setup :

Network A 1.1.0.0/16 with Samba DC ServA for domain DomA at ip 1.1.254.254
(which also act as IPSEC gateway and firewall).
Network B 2.1.0.0/16 with Samba DC ServB for domain DomB at ip 2.1.254.254
(which also act as IPSEC gateway and firewall).

Browsing is Ok (I think) :

        preferred master = Yes
        local master = Yes
        domain master = Yes
        browse list = Yes
        enhanced browsing = Yes
        remote announce = 1.1.254.254 (2.1.254.254 for ServA)
        remote browse sync = 1.1.254.254 (2.1.254.254 for ServA)

ServB is the WINS for both networks.

        name resolve order = wins host lmhosts bcast
        wins proxy = Yes
        wins support = Yes

All nodes on both networks configured as peer to peer (0x3).
All nodes can access any other whatever the network.
>From here, I setup the trustdom : DomA is the trusted domain and DomB the
trusting one.

the net rpc trustdom establish DomA ran on ServB returned
Unable to join ServA
Successfully joined DomA
>From here, I setup winbindd on ServB to be able to play with DomA users.
        idmap domains = DomA
        idmap alloc backend = tdb
        template homedir = /home/home/%D/%U
        template shell = /bin/false
        winbind separator = \
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = No
        winbind trusted domains only = No
        winbind nested groups = Yes
        winbind nss info = template
        winbind:rpc only = yes
        idmap config DomA:range = 4000-4999
        idmap config DomA:default = Yes
        idmap config DomA:backend = tdb
        idmap alloc config:range = 3000-3999

And here, I have a strange failure : wbinfo -t returns either "checking
the trust secret via RPC calls failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
Could not check secret"
However nmblookup -R -U 2.1.254.254 DomA#1b gives me 1.1.254.254 DomA#1b,
and I can successfully lookup DomA users and groups using both wbinfo -u/g
and getent passwd/group
But, the ids allocated are not in the range given by idmap config
DomA:range = 4000-4999 bu the range in idmap alloc config:range 3000-3999

This is the first thing I trying to fix.

The other thing now, is how to grant DomA users rights to access and
modify the files/shares/printers from DomB as DomB was so far only managed
using domain groups that were mapped from unix groups.

Anybody can help

-- 
Fran?ois Legal


Message scanned by ClamAV engine (http://www.clamav.net)
--------------------------------------------------------

Yeah, I'm baffled by the relationship between domain trusts and WINS.
There's some sort of weird dependency there that I can't figure out.
lmhosts doesn't seem to help much either.

If you have WAN-linked domains with multiple segments (like most
medium-to-large businesses) you want to have a WINS server per LAN so
that your local networks don't fail every time the phone company
fubars your WAN link.  This is intuitively obvious, but it contradicts
the documentation a little (because the "one WINS server per network"
should actually say "one WINS server per LAN" or possibly "one
WINS
server per domain").

Interdomain trusts haven't worked right for me since smbpasswd went
away.  There's a sambaTrustPassword attribute in the LDAP schema file
distributed by the samba team, but no indications of how to use it,
and the "net" toolset doesn't seem to create or modify it.

Sorry this post is no help.  :( If you figure out what exactly the
relationship is between WINS and domain trusts, please post your
findings!

Thanks,
--Charlie


On Thu, May 29, 2008 at 8:59 AM,  <devel@thom.fr.eu.org>
wrote:
> Hello,
>
> I did join 2 sites using an IPSEC tunnel, and made one domain trust the
> other (2 small Samba DC based domains with about 10 users in each)
>
> I first had resolving issues until I decided to keep only one WINS server
> for both networks (though this is still an issue to me because if for any
> reason the tunnel is broken, I have no longer WINS on one side).
>
> Finally here is my setup :
>
> Network A 1.1.0.0/16 with Samba DC ServA for domain DomA at ip 1.1.254.254
> (which also act as IPSEC gateway and firewall).
> Network B 2.1.0.0/16 with Samba DC ServB for domain DomB at ip 2.1.254.254
> (which also act as IPSEC gateway and firewall).
>
> Browsing is Ok (I think) :
>
>        preferred master = Yes
>        local master = Yes
>        domain master = Yes
>        browse list = Yes
>        enhanced browsing = Yes
>        remote announce = 1.1.254.254 (2.1.254.254 for ServA)
>        remote browse sync = 1.1.254.254 (2.1.254.254 for ServA)
>
> ServB is the WINS for both networks.
>
>        name resolve order = wins host lmhosts bcast
>        wins proxy = Yes
>        wins support = Yes
>
> All nodes on both networks configured as peer to peer (0x3).
> All nodes can access any other whatever the network.
>
> >From here, I setup the trustdom : DomA is the trusted domain and DomB
the
> trusting one.
>
> the net rpc trustdom establish DomA ran on ServB returned
> Unable to join ServA
> Successfully joined DomA
>
> >From here, I setup winbindd on ServB to be able to play with DomA
users.
>
>        idmap domains = DomA
>        idmap alloc backend = tdb
>        template homedir = /home/home/%D/%U
>        template shell = /bin/false
>        winbind separator = \
>        winbind enum users = Yes
>        winbind enum groups = Yes
>        winbind use default domain = No
>        winbind trusted domains only = No
>        winbind nested groups = Yes
>        winbind nss info = template
>        winbind:rpc only = yes
>        idmap config DomA:range = 4000-4999
>        idmap config DomA:default = Yes
>        idmap config DomA:backend = tdb
>        idmap alloc config:range = 3000-3999
>
> And here, I have a strange failure : wbinfo -t returns either
"checking
> the trust secret via RPC calls failed
> error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
> Could not check secret"
> However nmblookup -R -U 2.1.254.254 DomA#1b gives me 1.1.254.254 DomA#1b,
> and I can successfully lookup DomA users and groups using both wbinfo -u/g
> and getent passwd/group
> But, the ids allocated are not in the range given by idmap config
> DomA:range = 4000-4999 bu the range in idmap alloc config:range >
3000-3999
>
> This is the first thing I trying to fix.
>
> The other thing now, is how to grant DomA users rights to access and
> modify the files/shares/printers from DomB as DomB was so far only managed
> using domain groups that were mapped from unix groups.
>
> Anybody can help
>
> --
> Fran?ois Legal
>
>
> Message scanned by ClamAV engine (http://www.clamav.net)
> --------------------------------------------------------
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>