[Samba] Problems on HP-UX 11i with 'user add script'

Ryan Novosielski novosirj at umdnj.edu
Fri Jan 14 21:26:57 GMT 2005 

The thing is, I do not want this behavior. I want to have a setup where 
the user only necessarily exists in one location (ie., DOMA\freddy does 
not exist in DOMB... but I want him to be able to log into machines that 
live in DOMB). The problem I'm seeing is that Samba is often unable to 
create the placeholder account for DOMA\freddy in DOMB -- the "script" 
exits with status 1, for no reason that I can see (I will turn up debug 
higher).

Does Winbindd belong in this situation or no?

---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  |  | Ryan Novosielski - User Support Spec. III
|$&| |__| |  | |__/ | \| _|  | novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630

On Tue, 4 Jan 2005, John H Terpstra wrote:

> On Tuesday 04 January 2005 14:49, Ryan Novosielski wrote:
>> This one doesn't make any sense to me. What's worse, it seems to
>> occasionally work and sometimes not. I am attempting to log into a domain
>> (DOMA let's say) and I only have an account on DOMB. When DOMA's Samba PDC
>> attempts to create a UNIX account for me, this is what happens:
>>
> ...
>> ...when running that command from a shell, it does not exit 1. I can't
>> figure out why it does that, or why there is a problem with the
>> netsamlogon_cache.tdb. I read something about requiring Winbindd, but I
>> don't see how my situation (two Samba PDC's with a trust relationship
>> between the two different domains) requires Winbindd, unless Winbindd
>> running would keep me from having to do 'add user script' work (simply
>> using the same accounting info via NSS that it is getting from Samba).
>>
>> Can someone shed some light on this for me? The docs are not making it
>> clearer.
>
> Let's consider an example:
>
> DOMA has a user 'freddy' with UID=2349
> DOMB has a user 'freddy' with UID=5412
>
> DOMA\freddy has SID='S-1-5-21-12345678-12345678-12345678-4698
> DOMB\freddy has SID='S-1-5-21-87654321-87654321-87654321-10824
>
> There is a two-way trust relationship between DOMA and DOMB. The method for
> establishing interdomain trusts is documented in the Samba-HOWTO-Collection.
> There is a chapter on it.
>
> DOMA\freddy is an entirely different person from DOMB\freddy. One is the CEO
> and the other the janitor. I guess the CEO of DOMA would not like the janitor
> of DOMB to have access to his files.
>
> What happens with your method? My guess:
> DOMB\freddy accesses DOMA and inherits DOMA\freddy file access permissions.
> After all, what is there to distinguish DOMA\freddy from DOMAB\freddy - they
> will have the same account name because you will not create a new account by
> calling the user add script if the local account already exists. In other
> words DOMA\freddy is the same user as DOMB\freddy in your configuration.
>
> With winbind, DOMB\freddy will on access to the DOMA domain be allocated a UID
> out of the IDMAP UID pool, and for all intents and purposes will be an
> entirely different user from DOMA\freddy.
>
> Does that clear up why you need to use winbind? The other reason is that
> winbind caches the domain credentials for each trusted domain thus making the
> entire network operation more efficient.
>
> I hope this helps. This should be in the HOWTO-Collection - if not it must be
> added. I'll check and update this too.
>
> - John T.
> -- 
> John H Terpstra
> Samba-Team Member
> Phone: +1 (650) 580-8668
>
> Author:
> The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
> Samba-3 by Example, ISBN: 0131472216
> Hardening Linux, ISBN: 0072254971
> Other books in production.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list