[Samba] Interdomain Trust: winbind not working
Matteo Calcagnini
calcagnini at publinet.it
Mon Sep 11 14:09:49 GMT 2006
Hi there,
i got a problem trying configuring an Interdomain trust, this is
my scenario (very simple one):
domain domA (windows 2000 mixed mode) trusting domB (samba 3.0.23a-1)
and vice-versa.
some wbinfo:
ale:~# wbinfo -m
RGM5
ale:~# wbinfo --sequence
RGM5 : DISCONNECTED
BUILTIN : 1157982872
SYS2 : 1157982872
ale:~# wbinfo -t
checking the trust secret via RPC calls succeeded
ale:~# wbinfo -u
Error looking up domain users
ale:~# wbinfo -g
BUILTIN\administrators
BUILTIN\users
ale:~# wbinfo -a RGM5\\publinetrgm%*******
plaintext password authentication succeeded
challenge/response password authentication succeeded
(this seems to authorise a user of the trusted domain...)
I joined the samba pdc to his domain (SYS2) and made the trust with
net rpc trustdom establish SYS2
everything seems working fine since i can smbclien with a user of the
trusted domain, the only thing that's not working is winbind,
i can't map the trusted dom users to the unix users.
I noticed that samba creates a unix account everytime i log into it with
a user of the trusted dom, but how i can get winbind work??
this is my smb.conf
#======================= Global Settings =======================
[global]
netbios name = ALE
workgroup = SYS2
os level = 64
preferred master = yes
domain master = yes
local master = yes
domain logons = yes
nt acl support = yes
logon path =
logon drive = H:
logon home = \\ale\%U
logon script = logon.bat
##### Add/Remove user scripts #####
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/groupmod -A %u %g
delete user from group script = /usr/sbin/groupmod -R %u %g
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u
#### WINBINDD configuration #####
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 30
winbind use default domain = Yes
winbind trusted domains only = Yes
winbind nested groups = Yes
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
# server string is the equivalent of the NT Description field
server string = PDC Sys2
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
wins server = 192.168.92.205 192.168.92.206
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = yes
# What naming service and in what order should we use to resolve host names
# to IP addresses
; name resolve order = lmhosts host wins bcast
remote announce = 192.168.92.205
remote browse sync = 192.168.92.205
wins proxy = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
#log level = 3
# Put a capping on the size of the log files (in Kb).
max log size = 1000
# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
; syslog only = no
# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/ServerType.html in the samba-doc
# package for details.
security = user
# You may wish to use password encryption. See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = true
# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam
; obey pam restrictions = yes
guest account = nobody
; invalid users = root
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
; unix password sync = no
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Augustin Luton
<aluton at hybrigenics.fr> for
# sending the correct chat script for the passwd program in Debian Potato).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
; pam password change = no
#### *********** Unix/Windows Username Mapping file *********** ####
username map = /etc/samba/users.map
########## Printing ##########
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
load printers = yes
# CUPS printing. See also the cupsaddsmb(8) manpage in the
# cupsys-client package.
printing = cups
printcap name = cups
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/speed.html
# for details
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#======================= Share Definitions =======================
[homes]
comment = Home Directories
browseable = no
writable = yes
create mask = 0700
directory mask = 0700
path = /home/%U/
# Un-comment the following and create the netlogon directory for Domain
Logons
# (you need to configure Samba to act as a domain controller too.)
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
browsable = no
#[profiles]
# path = /var/lib/samba/profiles
# profile acls = yes
# read only = no
# create mask = 0600
# directory mask = 0700
# browsable = no
# force user = %U
[printers]
comment = All Printers
browseable = no
path = /tmp
printable = yes
public = no
writable = no
create mode = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# Replace 'ntadmin' with the name of the group your admin users are
# members of.
write list = root, @ntadmins
#### **************** Custom Shares for SYS2 ***************** ####
[z]
comment = risorsa condivisa z
path = /home/shares/z
admin users = @ntadmins, "@RGM5\Domain Admins"
public = yes
writable = yes
printable = no
create mask = 0110
directory mask = 0775
force create mode = 0664
force directory mode = 0775
thank you all
--
__________________________________
Matteo Calcagnini
Sir S.r.l. - Publinetwork
More information about the samba
mailing list