[Samba] allow trusted domains
simo
idra at samba.org
Sat Mar 3 07:56:09 MST 2012
On Sat, 2012-03-03 at 16:59 +0700, Victor Sudakov wrote:
> Andrew Bartlett wrote:
> > > As written in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
> > >
> > > "Where winbindd is not used Samba (smbd) uses the underlying
> > > UNIX/Linux mechanisms to resolve the identity of incoming network
> > > traffic. This is done using the LoginID (account name) in the session
> > > setup request and passing it to the getpwnam() system function call.
> > > This call is implemented using the name service switch (NSS) mechanism
> > > on modern UNIX/Linux systems. By saying "users and groups are local,"
> > > we are implying that they are stored only on the local system, in the
> > > /etc/passwd and /etc/group respectively.
> > >
> > > For example, when the user BERYLIUM\WambatW tries to open a connection
> > > to a Samba server the incoming SessionSetupAndX request will make a
> > > system call to look up the user WambatW in the /etc/passwd file. "
> > >
> > > My question: if BERYLIUM trusts ANOTHERDOMAIN, and
> > > ANOTHERDOMAIN\WambatW tries to open a connection to my Samba server,
> > > what user will be looked up in /etc/passwd?
> >
> > It should be:
> > ANOTHERDOMAIN\WambatW
>
> A Unix user with a slash in the login name? Sorry I doubt that because
> I have a script in smb.conf:
>
> add user script = /usr/sbin/pw useradd %u -m -Y -M 755
>
> and the script's log shows that those users from trusted domains are
> being created as "WambatW", not "ANOTHERDOMAIN\WambatW".
>
> How/where can I see/debug the actual mapping happening?
When using trusted domains you should run winbindd, relying on add user
script is basically not supported/tested for trusted domain.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
More information about the samba
mailing list