samba - Jan 2011 - Domain trust between a Samba PDC domain and W2K ADdomain

SNIP
>
> Hi people.
>
> I'm working on a trust relation between Samba 3.3.X and Windows 2003
> AD mixed mode.
>
> I have read the doc about this but for some reason wont work, my
> PDC+LDAP is working but I still cannot make this 2 servers share
> users.
In my experience, it is fairly straightforward to get AD users trusted 
by the Samba controlled Domain, although granualar file permissions 
are tricky at best.  In the opposite direction, this is quite 
difficult, unless the AD domain is in the very old now, mixed
mode.
>
>
>
> Could u please give me the process u use to create the relation
> between win2k3(in/out) and  samba?
>
> I will appreciated, thanks!!!
>
> --
> LIving the dream...
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

I have a samba domain (Samba 3.4.x PDC) and a Windows 2003 (in 2003 
native mode) domain.   Trusts MOSTLY work-  having Samba recognize AD 
users is a little trickier.

For samba to trust windows, make sure you have idmap info defined in 
smb.conf.  I have an ldap backend-  it may not be quite correct.



#IDMAP DEFAULT ALLOC
idmap alloc backend = ldap
idmap alloc config:ldap_url = ldap://ldap1.mydomain.com
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com
idmap alloc config:ldap_user_dn = cn=xxxx
idmap alloc config:range = 30000 - 79999



idmap config WINDOMAIN:backend = ldap
idmap config WINDOMAIN:readonly = no
idmap config WINDOMAIN:default=no
idmap config WINDOMAIN:ldap_base_dn = ou=windomain,ou=idmap,o=mydomain.com
idmap config WINDOMAIN:ldap_user_dn = cn=xxxx
idmap config WINDOMAIN:ldap_url = ldap://ldap1.mydomain.com
idmap config WINDOMAIN:range = 30000-39999




I would also make sure that both the samba and windows DC use the same 
WINS server.
You may want to have them use the same DNS server-  or at least make 
sure that the DNS server each is using supports the AD DNS stuff from 
the windows domain.

On the samba PDC, I also added an entry in krb5.conf for the trusted 
domain.  Not sure if that really mattered.    Samba logs indicated it 
was looking for the kdc for the administration domain.




On 01/05/2011 04:52 PM, tms3 at tms3.com wrote:
>
>
> SNIP
>>
>> Hi people.
>>
>> I'm working on a trust relation between Samba 3.3.X and Windows
2003
>> AD mixed mode.
>>
>> I have read the doc about this but for some reason wont work, my
>> PDC+LDAP is working but I still cannot make this 2 servers share
>> users.
> In my experience, it is fairly straightforward to get AD users trusted 
> by the Samba controlled Domain, although granualar file permissions 
> are tricky at best.  In the opposite direction, this is quite 
> difficult, unless the AD domain is in the very old now, mixed mode.
>>
>>
>>
>> Could u please give me the process u use to create the relation
>> between win2k3(in/out) and  samba?
>>
>> I will appreciated, thanks!!!
>>
>> -- 
>> LIving the dream...
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>

PS

most of the procedure for setting up trusts is in the docs on the 
samba.org site.    The idmap stuff is tricky since the mechanics seem to 
change with each samba version.

Once you have set up trusts, you want to make sure that the samba 
machine sees the AD users and groups with "wbinfo -u" and "wbinfo
-g."
(usually pretty easy to get to this part.)  Then you want to update 
nsswitch.conf to make sure "getent passwd" and "getent
group" also shows
the AD users.   (this relies on the idmap stuff working.)

-------- Original Message --------
Subject: 	Re: [Samba] Domain trust between a Samba PDC domain and W2K 
ADdomain
Date: 	Wed, 05 Jan 2011 17:53:48 -0500
From: 	Gaiseric Vandal <gaiseric.vandal at gmail.com>
Reply-To: 	gaiseric.vandal at gmail.com
To: 	samba at lists.samba.org



I have a samba domain (Samba 3.4.x PDC) and a Windows 2003 (in 2003
native mode) domain.   Trusts MOSTLY work-  having Samba recognize AD
users is a little trickier.

For samba to trust windows, make sure you have idmap info defined in
smb.conf.  I have an ldap backend-  it may not be quite correct.



#IDMAP DEFAULT ALLOC
idmap alloc backend = ldap
idmap alloc config:ldap_url = ldap://ldap1.mydomain.com
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com
idmap alloc config:ldap_user_dn = cn=xxxx
idmap alloc config:range = 30000 - 79999



idmap config WINDOMAIN:backend = ldap
idmap config WINDOMAIN:readonly = no
idmap config WINDOMAIN:default=no
idmap config WINDOMAIN:ldap_base_dn = ou=windomain,ou=idmap,o=mydomain.com
idmap config WINDOMAIN:ldap_user_dn = cn=xxxx
idmap config WINDOMAIN:ldap_url = ldap://ldap1.mydomain.com
idmap config WINDOMAIN:range = 30000-39999




I would also make sure that both the samba and windows DC use the same
WINS server.
You may want to have them use the same DNS server-  or at least make
sure that the DNS server each is using supports the AD DNS stuff from
the windows domain.

On the samba PDC, I also added an entry in krb5.conf for the trusted
domain.  Not sure if that really mattered.    Samba logs indicated it
was looking for the kdc for the administration domain.




On 01/05/2011 04:52 PM, tms3 at tms3.com wrote:
>
>
>  SNIP
>>
>>  Hi people.
>>
>>  I'm working on a trust relation between Samba 3.3.X and Windows
2003
>>  AD mixed mode.
>>
>>  I have read the doc about this but for some reason wont work, my
>>  PDC+LDAP is working but I still cannot make this 2 servers share
>>  users.
>  In my experience, it is fairly straightforward to get AD users trusted
>  by the Samba controlled Domain, although granualar file permissions
>  are tricky at best.  In the opposite direction, this is quite
>  difficult, unless the AD domain is in the very old now, mixed mode.
>>
>>
>>
>>  Could u please give me the process u use to create the relation
>>  between win2k3(in/out) and  samba?
>>
>>  I will appreciated, thanks!!!
>>
>>  -- 
>>  LIving the dream...
>>  -- 
>>  To unsubscribe from this list go to the following URL and read the
>>  instructions: https://lists.samba.org/mailman/options/samba
>