[Samba] Domain trust between a Samba PDC domain and W2K ADdomain

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Jan 5 15:53:48 MST 2011 

I have a samba domain (Samba 3.4.x PDC) and a Windows 2003 (in 2003 
native mode) domain.   Trusts MOSTLY work-  having Samba recognize AD 
users is a little trickier.

For samba to trust windows, make sure you have idmap info defined in 
smb.conf.  I have an ldap backend-  it may not be quite correct.



#IDMAP DEFAULT ALLOC
idmap alloc backend = ldap
idmap alloc config:ldap_url = ldap://ldap1.mydomain.com
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com
idmap alloc config:ldap_user_dn = cn=xxxx
idmap alloc config:range = 30000 - 79999



idmap config WINDOMAIN:backend = ldap
idmap config WINDOMAIN:readonly = no
idmap config WINDOMAIN:default=no
idmap config WINDOMAIN:ldap_base_dn = ou=windomain,ou=idmap,o=mydomain.com
idmap config WINDOMAIN:ldap_user_dn = cn=xxxx
idmap config WINDOMAIN:ldap_url = ldap://ldap1.mydomain.com
idmap config WINDOMAIN:range = 30000-39999




I would also make sure that both the samba and windows DC use the same 
WINS server.
You may want to have them use the same DNS server-  or at least make 
sure that the DNS server each is using supports the AD DNS stuff from 
the windows domain.

On the samba PDC, I also added an entry in krb5.conf for the trusted 
domain.  Not sure if that really mattered.    Samba logs indicated it 
was looking for the kdc for the administration domain.




On 01/05/2011 04:52 PM, tms3 at tms3.com wrote:
>
>
> SNIP
>>
>> Hi people.
>>
>> I'm working on a trust relation between Samba 3.3.X and Windows 2003
>> AD mixed mode.
>>
>> I have read the doc about this but for some reason wont work, my
>> PDC+LDAP is working but I still cannot make this 2 servers share
>> users.
> In my experience, it is fairly straightforward to get AD users trusted 
> by the Samba controlled Domain, although granualar file permissions 
> are tricky at best.  In the opposite direction, this is quite 
> difficult, unless the AD domain is in the very old now, mixed mode.
>>
>>
>>
>> Could u please give me the process u use to create the relation
>> between win2k3(in/out) and  samba?
>>
>> I will appreciated, thanks!!!
>>
>> -- 
>> LIving the dream...
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list