Ralph Boehme
2024-Nov-12 17:58 UTC
[Samba] Accessing Samba domain member shares from trusted domain
On 11/12/24 6:49 PM, Vaughan, Robert J via samba wrote:> Ok well I have that setting you mention > > I just can't map my trusted AD account in the trusting domain on my > Linux Samba domain member > > I can't see any users in the trusted domain actually > > wbinfo -u --domain=TRUSTED > > returns nothing at allthis is as expected. We're not allowed to talk to a DC in the trusted domain to query a user list. That can't be done via a trust route.> I did see an article that suggested the POSIX attributes for AD > users need to be published to the AD global catalogue before they > can be accessed in the external trust domain? My Wintel AD guys > says the attributes are not published. But still I might expect to > see users listed with wbinfo even if their POSIX attributes are not > allowing use as a UNIX account?you can't use idmap_ad for a trusted domain with outbound trust, as we can't connect to a DC in that domain via LDAP. You have to use a different idmap backend. You could also use idmap_rfc2307 to point at an LDAP server that does allow connections and also stores the mappings. -slow -- SerNet Samba Team Lead https://sernet.de/ Samba Team Member https://samba.org/ SAMBA+ packages https://samba.plus/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20241112/6b868a86/OpenPGP_signature.sig>
Vaughan, Robert J
2024-Nov-12 18:27 UTC
[Samba] Accessing Samba domain member shares from trusted domain
Ah .. now it is starting to make sense Seems a lot of work to standup a duplicate LDAP just for this. Users do need to use their assigned UID here too. I think they should use a Windows file server and CIFS mounts on the Linux boxes? Thanks, Rob -----Original Message----- From: Ralph Boehme <slow at samba.org> Sent: Tuesday, November 12, 2024 12:59 PM To: Vaughan, Robert J <vaughar2 at gdls.com>; samba at lists.samba.org Subject: Re: [Samba] Accessing Samba domain member shares from trusted domain On 11/12/24 6:49 PM, Vaughan, Robert J via samba wrote:> Ok well I have that setting you mention > > I just can't map my trusted AD account in the trusting domain on my > Linux Samba domain member > > I can't see any users in the trusted domain actually > > wbinfo -u --domain=TRUSTED > > returns nothing at allthis is as expected. We're not allowed to talk to a DC in the trusted domain to query a user list. That can't be done via a trust route.> I did see an article that suggested the POSIX attributes for AD users > need to be published to the AD global catalogue before they can be > accessed in the external trust domain? My Wintel AD guys says the > attributes are not published. But still I might expect to see users > listed with wbinfo even if their POSIX attributes are not allowing use > as a UNIX account?you can't use idmap_ad for a trusted domain with outbound trust, as we can't connect to a DC in that domain via LDAP. You have to use a different idmap backend. You could also use idmap_rfc2307 to point at an LDAP server that does allow connections and also stores the mappings. -slow -- SerNet Samba Team Lead https://sernet.de/ Samba Team Member https://samba.org/ SAMBA+ packages https://samba.plus/ ---------------------------------------------------------------------- This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.
Vaughan, Robert J
2024-Nov-22 19:46 UTC
[Samba] Accessing Samba domain member shares from trusted domain
Hi Ralph When you said I can't use idmap_ad in my trusting domain because 'we're not allowed to talk to a DC in the trusted domain', does that still apply even if we can provide a read-only DC from the trusted domain inside the trusting domain network? Thanks, Rob -----Original Message----- From: Ralph Boehme <slow at samba.org> Sent: Tuesday, November 12, 2024 12:59 PM To: Vaughan, Robert J <vaughar2 at gdls.com>; samba at lists.samba.org Subject: Re: [Samba] Accessing Samba domain member shares from trusted domain On 11/12/24 6:49 PM, Vaughan, Robert J via samba wrote:> Ok well I have that setting you mention > > I just can't map my trusted AD account in the trusting domain on my > Linux Samba domain member > > I can't see any users in the trusted domain actually > > wbinfo -u --domain=TRUSTED > > returns nothing at allthis is as expected. We're not allowed to talk to a DC in the trusted domain to query a user list. That can't be done via a trust route.> I did see an article that suggested the POSIX attributes for AD users > need to be published to the AD global catalogue before they can be > accessed in the external trust domain? My Wintel AD guys says the > attributes are not published. But still I might expect to see users > listed with wbinfo even if their POSIX attributes are not allowing use > as a UNIX account?you can't use idmap_ad for a trusted domain with outbound trust, as we can't connect to a DC in that domain via LDAP. You have to use a different idmap backend. You could also use idmap_rfc2307 to point at an LDAP server that does allow connections and also stores the mappings. -slow -- SerNet Samba Team Lead https://sernet.de/ Samba Team Member https://samba.org/ SAMBA+ packages https://samba.plus/ ---------------------------------------------------------------------- This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.
Seemingly Similar Threads
- Accessing Samba domain member shares from trusted domain
- Accessing Samba domain member shares from trusted domain
- Accessing Samba domain member shares from trusted domain
- Accessing Samba domain member shares from trusted domain
- unix_primary_group and unix_nss_info for rfc2307 idmap backend