Karim Ayari
2016-Dec-08 11:19 UTC
[Samba] Winbind in Multiple-Forests - Super Admin Domain Model
We implement a Multiple-Forests - Super Admin Domain Model based on : https://technet.microsoft.com/en-us/library/cc546821.aspx We have 2 forests using W2K12r2 : RSC for resources and ADM for admin user accounts. We join linux server to RSC with ADM credential : # net ads join -U linuxadm at ADM.LAB We have a problem when we had to read uidNumber and gidNumber from ADM Forest. Winbind try to bind an ldap connection to ADM using his credential from RSC : SMB1$@RSC.LAB. The trust relationship (one-way) don't permit to bind to ADM with a user from RSC and return an empty ldap result. So we can't get a valid unix user with uid, gid, shell, groups... If we modify the one-way trust to a two-way then we can get user ldap properties. The Windows Architects don't wan't to modify the trust relationship on production servers. Here our smb.conf : [global] workgroup = RSC realm = RSC.LAB security = ads netbios name = SMB1 kerberos method = secrets and keytab idmap config ADM:backend = ad idmap config ADM:range = 10000-20000 idmap config ADM:schema_mode = rfc2307 idmap config RSC:backend = ad idmap config RSC:range = 500-9999 idmap config RSC:schema_mode = rfc2307 idmap backend = tdb idmap config:range = 30000-100000 winbind nss info = rfc2307 [homes] comment = Home Directories browseable = no writable = yes Is there a way to force winbind to use another account to bind to ADM Ldap ? Thanks.
Volker Lendecke
2016-Dec-08 11:25 UTC
[Samba] Winbind in Multiple-Forests - Super Admin Domain Model
On Thu, Dec 08, 2016 at 12:19:08PM +0100, Karim Ayari via samba wrote:> We implement a Multiple-Forests - Super Admin Domain Model based on : > > https://technet.microsoft.com/en-us/library/cc546821.aspx > > We have 2 forests using W2K12r2 : RSC for resources and ADM for admin user > accounts. > > We join linux server to RSC with ADM credential : > > # net ads join -U linuxadm at ADM.LAB > > We have a problem when we had to read uidNumber and gidNumber from ADM > Forest. Winbind try to bind an ldap connection to ADM using his credential > from RSC : SMB1$@RSC.LAB. > > The trust relationship (one-way) don't permit to bind to ADM with a user > from RSC and return an empty ldap result. > > So we can't get a valid unix user with uid, gid, shell, groups... > > If we modify the one-way trust to a two-way then we can get user ldap > properties. > > The Windows Architects don't wan't to modify the trust relationship on > production servers. > > Here our smb.conf : > > [global] > > workgroup = RSC > realm = RSC.LAB > security = ads > netbios name = SMB1 > kerberos method = secrets and keytab > > idmap config ADM:backend = ad > idmap config ADM:range = 10000-20000 > idmap config ADM:schema_mode = rfc2307 > > idmap config RSC:backend = ad > idmap config RSC:range = 500-9999 > idmap config RSC:schema_mode = rfc2307 > > > idmap backend = tdb > idmap config:range = 30000-100000 > > winbind nss info = rfc2307 > > [homes] > comment = Home Directories > browseable = no > writable = yes > > > Is there a way to force winbind to use another account to bind to ADM Ldap ?Not right now, but this would be a very nice addition to the module. Volker
Karim Ayari
2016-Dec-08 13:46 UTC
[Samba] Winbind in Multiple-Forests - Super Admin Domain Model
Thank you Volker, I try to use hash and rid as an alternative to ad backend. The best I can get is the SID user from ADM, but I can't get he's groups. If it is feasible, could you point me to a solution ? or simply should I switch to another solution ? 2016-12-08 12:25 GMT+01:00 Volker Lendecke <vl at samba.org>:> On Thu, Dec 08, 2016 at 12:19:08PM +0100, Karim Ayari via samba wrote: > > We implement a Multiple-Forests - Super Admin Domain Model based on : > > > > https://technet.microsoft.com/en-us/library/cc546821.aspx > > > > We have 2 forests using W2K12r2 : RSC for resources and ADM for admin > user > > accounts. > > > > We join linux server to RSC with ADM credential : > > > > # net ads join -U linuxadm at ADM.LAB > > > > We have a problem when we had to read uidNumber and gidNumber from ADM > > Forest. Winbind try to bind an ldap connection to ADM using his > credential > > from RSC : SMB1$@RSC.LAB. > > > > The trust relationship (one-way) don't permit to bind to ADM with a user > > from RSC and return an empty ldap result. > > > > So we can't get a valid unix user with uid, gid, shell, groups... > > > > If we modify the one-way trust to a two-way then we can get user ldap > > properties. > > > > The Windows Architects don't wan't to modify the trust relationship on > > production servers. > > > > Here our smb.conf : > > > > [global] > > > > workgroup = RSC > > realm = RSC.LAB > > security = ads > > netbios name = SMB1 > > kerberos method = secrets and keytab > > > > idmap config ADM:backend = ad > > idmap config ADM:range = 10000-20000 > > idmap config ADM:schema_mode = rfc2307 > > > > idmap config RSC:backend = ad > > idmap config RSC:range = 500-9999 > > idmap config RSC:schema_mode = rfc2307 > > > > > > idmap backend = tdb > > idmap config:range = 30000-100000 > > > > winbind nss info = rfc2307 > > > > [homes] > > comment = Home Directories > > browseable = no > > writable = yes > > > > > > Is there a way to force winbind to use another account to bind to ADM > Ldap ? > > Not right now, but this would be a very nice addition to the module. > > Volker >