Ralph Boehme
2024-Nov-22 21:02 UTC
[Samba] Accessing Samba domain member shares from trusted domain
On 11/22/24 8:46 PM, Vaughan, Robert J via samba wrote:> When you said I can't use idmap_ad in my trusting domain because > 'we're not allowed to talk to a DC in the trusted domain', does that > still apply even if we can provide a read-only DC from the trusted > domain inside the trusting domain network?yes, because the system accesses resources with the machine account that is part of your domain and due to the one way trust, accounts from your domain are not allowed to authenticate in the trusted domain. Iirc you should be able to use idmap_rfc2307 instead as that allows specifying an account name to use to authenticate to the LDAP server, which can a AD DC. I've never setup something like this myself, but I'm sure one of my colleagues from our Samba team at SerNet has. Let me know if I you need help with and want to work with someone who knows this stuff. :) -slow -- SerNet Samba Team Lead https://sernet.de/ Samba Team Member https://samba.org/ SAMBA+ packages https://samba.plus/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20241122/03a8387e/OpenPGP_signature.sig>
Vaughan, Robert J
2024-Nov-25 16:17 UTC
[Samba] Accessing Samba domain member shares from trusted domain
Hi Ralph Thanks for the reply Any help at all is appreciated, but are you implying a consulting arrangement? Thanks, Rob -----Original Message----- From: Ralph Boehme <slow at samba.org> Sent: Friday, November 22, 2024 4:03 PM To: Vaughan, Robert J <vaughar2 at gdls.com>; samba at lists.samba.org Subject: Re: [Samba] Accessing Samba domain member shares from trusted domain On 11/22/24 8:46 PM, Vaughan, Robert J via samba wrote:> When you said I can't use idmap_ad in my trusting domain because > 'we're not allowed to talk to a DC in the trusted domain', does that > still apply even if we can provide a read-only DC from the trusted > domain inside the trusting domain network?yes, because the system accesses resources with the machine account that is part of your domain and due to the one way trust, accounts from your domain are not allowed to authenticate in the trusted domain. Iirc you should be able to use idmap_rfc2307 instead as that allows specifying an account name to use to authenticate to the LDAP server, which can a AD DC. I've never setup something like this myself, but I'm sure one of my colleagues from our Samba team at SerNet has. Let me know if I you need help with and want to work with someone who knows this stuff. :) -slow -- SerNet Samba Team Lead https://sernet.de/ Samba Team Member https://samba.org/ SAMBA+ packages https://samba.plus/ ---------------------------------------------------------------------- This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.