[Samba] Re: Trusting and Trusted Domain Samba LDAP (mapping Home Directories)Problem

Thu Oct 28 14:48:34 GMT 2004

Interesting... Commenting out "add user script" did allow me to login 
and winbind entries to be created but I do believe at there's a problem 
with Samba then - local users should be created only for the Domain PDC 
manages. I would expect that it should fall to winbind immidiately after 
realizing that its another Domain. I'll try to investigate this one.

On the other hand, after login - testB home was correctly mapped from 
DomainB's server machine, so I still don't see the problem you 
encounter. Note, that both my domains has Samba 3.0.7 and maybe the 
first thing you sould try is to upgrade your PDCs to this latest stable 
version as well.

Igor

Adrian Chow wrote:

> Hi Igor,
>
> I think it is default in the smb.conf script that if you login as a 
> user that is not found in the PDC, and that the user is found in the 
> remote domain that is trusted, the "add user script = " will be 
> activated. You can prevent users from being created if u do not 
> specify "add user script" in the smb.conf.
>
> adrian
>
>
> Igor Belyi wrote:
>
>> I've tried to login with a user testB which exists in DomainB but not 
>> in DomainA (Client XP is a DomainA member) and noticed that there's 
>> an attempt in DomainA to create a local user testB. I'm trying to 
>> investigate if there any problem with my winbind setup in DomainA...
>>
>> I'll keep you posted.
>> Igor
>>
>> Igor Belyi wrote:
>>
>>> Adrian Chow wrote:
>>>
>>>> Hi Igor,
>>>>
>>>> Thanks for your prompt reply.
>>>>
>>>> Just curious whether you have read my previous email regarding the 
>>>> different setup for my side.  I have :-
>>>> Domain A controller :- openldap 2.1.23 (slave), samba 3.04 (PDC)
>>>> Domain B controller :- openldap 2.1.30-3 (slave), samba 3.07 (PDC)
>>>> Main LDAP server : - openldap 2.0.27-3.bunk (master).
>>>
>>>
>>>
>>>
>>> So you have the same LDAP directory for both PDCs? Can you show 
>>> smb.conf for both PDCs? How did you configure your LDAP slaves - do 
>>> they have write access to the entries PDC uses?
>>>
>>>> Question 1:- Wonder if there will be a problem with the openldap 
>>>> setup?  Should I upgrade all the LDAP to have same version?
>>>
>>>
>>>
>>>
>>> Since we don't know yet what kind of problem you face it's difficult 
>>> to say if LDAP version matters. My guess is it does not and that the 
>>> newer version you have the better.
>>>
>>>> Question 2:- If I were to upgrade Domain A to samba 3.07 (as I 
>>>> thought there could be a potential problem with the 
>>>> trusting/trusted domains), any clue of how can I upgrade to samba 
>>>> 3.07 without losing the SID or any problems?    I was thinking of 
>>>> doing the following:-
>>>> 1.  Backup the smb.conf file
>>>
>>>
>>>
>>>
>>> I don't think smb.conf gets changed during upgrade, but backups 
>>> never hurt.
>>>
>>>> 2.  smbldap-conf file (containing the SID number).
>>>
>>>
>>>
>>>
>>> It will make sense if you plan to update smbldap tools as well. 
>>> Note, that Domain SID which Samba uses is kept in LDAP entry and the 
>>> one written in smbldap-conf file should mirror it. And since it is 
>>> kept in LDAP upgrade of Samba 3.x should not cause its change. I 
>>> don't remember big changes in smbldap-conf between 3.0.4 and 3.0.7 
>>> Sambas but I would recommend to look at the 'diff' between backuped 
>>> and newly installed versions to verify that.
>>>
>>>> Is there any thing I left out?  Will the SID be changed?  The 
>>>> reason I ask was because I already got a domain member server under 
>>>> domain A (samba 3.04) and I do not want to lose the SID cos I have 
>>>> like 260 users's home directory in that domain member server 
>>>> (windows 2003 server).
>>>>
>>>> Thanks in advance.
>>>>
>>>> Regards,
>>>>
>>>> adrian
>>>>
>>>> Igor Belyi wrote:
>>>>
>>>>> Sorry... Got busy with something else. I'll try to do the test 
>>>>> with different users tomorrow. There could be a problem with my 
>>>>> previous test since the user present in both Domains also has the 
>>>>> same password and this may allow credentials from one domain to 
>>>>> somehow be used in another.
>>>>>
>>>>> If you would collect trace for both 'login' and 'net user x: 
>>>>> /home' times - it will be great. Make sure that trace is with 'log 
>>>>> level = 5' and if you have more than one machine that you collect 
>>>>> trace for the Client XP machine (probably, by including %m in the 
>>>>> 'log file').
>>>>>
>>>>> I apologize for the delay.
>>>>> Igor
>>>>>
>>>>> Adrian Chow wrote:
>>>>>
>>>>>> Hi Igor,
>>>>>>
>>>>>> Wondering have you tried to one the scenario when a domain B user 
>>>>>> logins on domain A machine where the domain B username is not 
>>>>>> found in domain A machine?  Can you still map the drives?
>>>>>>
>>>>>> Also you were asking for the smbd files.... how should I get 
>>>>>> them? During when I login or during when I typed the commmand 
>>>>>> "net use x: /home" on the dos prompt?
>>>>>>
>>>>>> Thanks.  Just concerned as I have not heard from you.
>>>>>>
>>>>>> adrian
>>>>>