PDC peering?

Mayers, Philip J p.mayers at ic.ac.uk
Thu Jun 22 16:21:49 GMT 2000 

Which version of Samba? A little more information is needed, but to give you
the background to the trouble you're having...

I've never really been sure of the status, but what you're talking about is
using an account from a trusted domain to access a server in a given domain.
You didn't say what the "security" setting was in smb.conf - this is
important.

I'm pretty sure you need the username mapping functionality of Samba to do
that, but I'm not even sure that's enough. The problem is... well look at it
like this:

/etc/passwd

pfwe:x:501:501::/home/pfwe:/bin/bash
grrt:x:502:502::/home/grrt:/bin/bash

/etc/smbpasswd

pfwe:501:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[
U          ]:LCT-394DFABF:
grrt:502:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[
U          ]:LCT-394DFADB:


/etc/smb.conf

   workgroup = USDOMAIN
   server string = Samba Server
   security = domain
   encrypt passwords = yes
   smb passwd file = /etc/smbpasswd

And you've done an "smbpasswd -j USDOMAIN"

So, connecting from a client as:

	pfwe
or
	USDOMAIN\pfwe

The Samba server maps you to UID number 501, no problems there.

But, connecting as:

	UKDOMAIN\anotheruser

The Samba server has no way to map you to a unix user (which it must do to
setuid() down to you). So, the real answer is I don't know what happens.
HEAD and TNG have methods (winbind and SURS multi-domain algorithms) to deal
with this.

What security setting are you using in smb.conf?

Cheers,
Phil


-----Original Message-----
From: Erik Parker [mailto:eparker at mindsec.com]
Sent: Thursday, June 22, 2000 5:08 PM
To: Multiple recipients of list SAMBA-NTDOM
Subject: PDC peering?



Greetings,

First off, I am not an NT person at all. I depise it and refuse to use
it. However my company on the other hand does not. 

We have a dozen samba boxes in the USA that auth off of US-PDC. The US-PDC
has a "trusted peering" relationship with the UK-PDC. However when the
machines ask the US-PDC for a password of a user who is setup on the
UK-PDC, the auth fails.

The NT peeps assure me that their peering crap is setup fine. So my
question is has anyone else seen this? How did you fix it?

Also, can Samba have a 'if fails on this PDC.. try this other PDC?' type
of setup?





Erik Parker
eparker at mindsec.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 3457 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000622/aefd006b/attachment.bin

More information about the samba-ntdom mailing list