Daniel Patrick Sullivan
2012-Feb-22 18:40 UTC
[Samba] Question regarding default user domain in samba
Hi, Everybody, I sent an email to this list with a couple of questions in it earlier this week; this is kind of a 'repeat' question, so I apologize if you've read this one already; I wanted to flesh out the details of my inquisition a tad bit more in hopes that somebody could potentially chime in with an answer as I am afraid that I either a) didn't articulate my question in enough detail or b) didn't ask nicely enough the first time :-) Ok, so here's my problem; I am working in an environment with an Active Directory forest where 100% of our user accounts exist one domain and 100% of our computer objects exist in another domain. I have winbind setup with pam & ssh, and everything is working fine. I can authenticate across the trust no problem. My issue is that whever I authenticate, I have to supply the domain name and whatever domain separator is configured in smb.conf to get this working. I know about the "use default domain" option in smb.conf, but from what I understand this will only "prepend" the default realm, or the domain that the computer is actually a domain member of. So really, I want to: 1) set the 'use default domain' option (or implement similar functionality) AND 2) specify the actual domain that is used (i.e. a domain that is trusted, although NOT the domain that the server is actually a member of). Does anybody know if this is possible? In my opinion this is more of a usability issue than anything (i.e. it is kind of a pain to type in the domain name every time I authenticate). I would think that achieving this effect (specifying "use default domain" and deterministally configuring the default logon domain) would be feasible, but I'm stilling banging my head against the wall trying to figure out if this is possible. I've already tried; 1) setting the default_realm in the [libdefaults] stanza in /etc/krb5.conf 2) using a usermap supplied in /etc/samba/smb.conf If anybody knows how to do this, or could point me to a piece of documentation that suggests a way to implement this sort of configuration, I would greatly appreciate it. Thank-you so much, and have a wonderful day. Dan Sullivan
Andrew Bartlett
2012-Feb-27 01:48 UTC
[Samba] Question regarding default user domain in samba
On Wed, 2012-02-22 at 12:40 -0600, Daniel Patrick Sullivan wrote:> Hi, Everybody, > > I sent an email to this list with a couple of questions in it earlier > this week; this is kind of a 'repeat' question, so I apologize if > you've read this one already; I wanted to flesh out the details of my > inquisition a tad bit more in hopes that somebody could potentially > chime in with an answer as I am afraid that I either a) didn't > articulate my question in enough detail or b) didn't ask nicely > enough the first time :-) > > Ok, so here's my problem; I am working in an environment with an > Active Directory forest where 100% of our user accounts exist one > domain and 100% of our computer objects exist in another domain. I > have winbind setup with pam & ssh, and everything is working fine. I > can authenticate across the trust no problem. My issue is that whever > I authenticate, I have to supply the domain name and whatever domain > separator is configured in smb.conf to get this working. I know about > the "use default domain" option in smb.conf, but from what I > understand this will only "prepend" the default realm, or the domain > that the computer is actually a domain member of. So really, I want > to: > > 1) set the 'use default domain' option (or implement similar functionality) AND > 2) specify the actual domain that is used (i.e. a domain that is > trusted, although NOT the domain that the server is actually a member > of). > > Does anybody know if this is possible?No, it is not. While I originally created 'winbind use default domain', and I've seen it used exactly how I intended in the multi-protocol NAS that I now work on, I also understand that others find that is has caused us challenges in our internal implementation, in particular due to the ambiguity it creates between local system users and winbind users. Therefore, I suspect it will not be extended. On the other hand, the views of my colleagues may have changed, and a clean patch implementing this might help show why this is worth-while. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org