A. James Lewis
2017-Sep-28 13:57 UTC
[Samba] Trusted domain with different short name to DNS name.
Hey, I have 2 trusted domains to deal with, "DEV" and "TODEV", and I have configured smb.conf like this:- [global] workgroup = MAIN security = ADS realm = MAIN.DOMAIN.LOCAL idmap config *:backend = tdb idmap config *:range = 95000-99999 idmap config MAIN:backend = rid idmap config MAIN:range = 100000-999999 idmap config DEV:backend = rid idmap config DEV:range = 2000000-2999999 idmap config TODEV:backend = rid idmap config TODEV:range = 3000000-3999999 winbind trusted domains only = no winbind use default domain = yes winbind refresh tickets = yes template shell = /bin/bash template homedir = /home/%D/%U The issue is that "TODEV" is the short name, while the DNS name is to.dev.domain.local.... I can see group memberships in "DEV", but not in TODEV... presumably because there's no way for Samba to map the TODEV short name to a DNS "SRV" query to find the LDAP server details. What would be the correct way to go about this when the domain short name, and the DNS don't match? -- A. James Lewis (james at fsck.co.uk (mailto:james at fsck.co.uk)) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
Rowland Penny
2017-Sep-28 14:25 UTC
[Samba] Trusted domain with different short name to DNS name.
On Thu, 28 Sep 2017 13:57:25 +0000 "A. James Lewis via samba" <samba at lists.samba.org> wrote:> Hey, > > I have 2 trusted domains to deal with, "DEV" and "TODEV", and I have > configured smb.conf like this:- > > [global] > workgroup = MAIN > security = ADS > realm = MAIN.DOMAIN.LOCAL > > idmap config *:backend = tdb > idmap config *:range = 95000-99999 > idmap config MAIN:backend = rid > idmap config MAIN:range = 100000-999999 > idmap config DEV:backend = rid > idmap config DEV:range = 2000000-2999999 > idmap config TODEV:backend = rid > idmap config TODEV:range = 3000000-3999999 > > winbind trusted domains only = no > winbind use default domain = yes > winbind refresh tickets = yes > > template shell = /bin/bash > template homedir = /home/%D/%U > > The issue is that "TODEV" is the short name, while the DNS name is > to.dev.domain.local.... I can see group memberships in "DEV", but not > in TODEV... presumably because there's no way for Samba to map the > TODEV short name to a DNS "SRV" query to find the LDAP server details. > > What would be the correct way to go about this when the domain short > name, and the DNS don't match? >What version of Samba ? Are the trusts two way ? You should remove 'winbind use default domain' Rowland
A. James Lewis
2017-Sep-28 15:01 UTC
[Samba] Trusted domain with different short name to DNS name.
September 28, 2017 3:32 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Thu, 28 Sep 2017 13:57:25 +0000 > "A. James Lewis via samba" <samba at lists.samba.org> wrote: > >> Hey, >> >> I have 2 trusted domains to deal with, "DEV" and "TODEV", and I have >> configured smb.conf like this:- >> >> [global] >> workgroup = MAIN >> security = ADS >> realm = MAIN.DOMAIN.LOCAL >> >> idmap config *:backend = tdb >> idmap config *:range = 95000-99999 >> idmap config MAIN:backend = rid >> idmap config MAIN:range = 100000-999999 >> idmap config DEV:backend = rid >> idmap config DEV:range = 2000000-2999999 >> idmap config TODEV:backend = rid >> idmap config TODEV:range = 3000000-3999999 >> >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind refresh tickets = yes >> >> template shell = /bin/bash >> template homedir = /home/%D/%U >> >> The issue is that "TODEV" is the short name, while the DNS name is >> to.dev.domain.local.... I can see group memberships in "DEV", but not >> in TODEV... presumably because there's no way for Samba to map the >> TODEV short name to a DNS "SRV" query to find the LDAP server details. >> >> What would be the correct way to go about this when the domain short >> name, and the DNS don't match? > > What version of Samba ? > Are the trusts two way ? > > You should remove 'winbind use default domain' > > Rowland > > --I don't believe it's a two way trust, since the "MAIN" domain is the authentication domain, while the DEV/TODEV domains contain their own resources but the MAIN domain does not trust users in the DEV/TODEV domains. As I say, it works with DEV, if I run wbinfo -r jlewis, I can see my group memberships in DEV, but not TODEV. -- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
Andrew Bartlett
2017-Sep-28 19:16 UTC
[Samba] Trusted domain with different short name to DNS name.
On Thu, 2017-09-28 at 13:57 +0000, A. James Lewis via samba wrote:> Hey, > > I have 2 trusted domains to deal with, "DEV" and "TODEV", and I have configured smb.conf like this:-> The issue is that "TODEV" is the short name, while the DNS name is to.dev.domain.local.... I can see group memberships in "DEV", but not in TODEV... presumably because there's no way for Samba to map the TODEV short name to a DNS "SRV" query to find the LDAP server details. > > What would be the correct way to go about this when the domain short name, and the DNS don't match?We generally don't make simplistic mappings like that. We connect to the domain and ask it for both of its names. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
A. James Lewis
2017-Sep-28 20:03 UTC
[Samba] Trusted domain with different short name to DNS name.
September 28, 2017 8:52 PM, "Andrew Bartlett" <abartlet at samba.org> wrote:> On Thu, 2017-09-28 at 13:57 +0000, A. James Lewis via samba wrote: > >> Hey, >> >> I have 2 trusted domains to deal with, "DEV" and "TODEV", and I have configured smb.conf like >> this:- >> >> The issue is that "TODEV" is the short name, while the DNS name is to.dev.domain.local.... I can >> see group memberships in "DEV", but not in TODEV... presumably because there's no way for Samba to >> map the TODEV short name to a DNS "SRV" query to find the LDAP server details. >> >> What would be the correct way to go about this when the domain short name, and the DNS don't match? > > We generally don't make simplistic mappings like that. We connect to > the domain and ask it for both of its names. > > Andrew Bartlett >OK, but I'm slightly lost trying to work out how it knows the domain exists in the first place, or what it's DNS name is... does it get that through the main domain, or is there some other magic that occurs, since it definitely can't get from TODEV to to.dev, I don't think at least. -- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."