[Samba] auth to two diff PDCs? (success, sort of)
Mathew McKernan
mathewmckernan at optushome.com.au
Mon Oct 28 07:39:01 GMT 2002
Hi Matthew,
Andrew is talking about domain trusts here. When the client asks for a
connection to a share or the samba server itself, the samba daemon will
check if the user is valid to the PDC. Domain trusts enable 2 domains to
"know" each others users.
However in some cases this is dangerous, in my situation at work, we have 2
LANs (physically seperate) and have seperate NT Domains for that reason.
However we wanted to allow staff to logon to either domain but have access
to their home drive. To solve this we ran 2 copies of samba (installed to
different locations) and each copy is a member of the domain they are to
serve. Then using the "interfaces" config option in smb.conf we force each
copy of samba to bind to the LAN it serves.
In your case it sounds as if you are running one LAN but with 2 domains that
don't trust each other. Either establish a trust between the two LANs, or
use the method above. You will need to set the name differently for each
copy of Samba, using "netbios name" in smb.conf, or you will get conflicts.
Thanks
Mathew
----- Original Message -----
From: "Matthew Hannigan" <mlh at zip.com.au>
To: "Andrew Bartlett" <abartlet at samba.org>
Cc: "Matthew Hannigan" <mlh at zip.com.au>; <samba at lists.samba.org>;
<samba-technical at samba.org>
Sent: Monday, October 28, 2002 5:25 PM
Subject: Re: [Samba] auth to two diff PDCs? (success, sort of)
> On Mon, Oct 28, 2002 at 04:56:03PM +1100, Andrew Bartlett wrote:
> > Andrew Bartlett wrote:
> > >
> > > Matthew Hannigan wrote:
> > > >
> > > > With a single server, settings "security = server" and
> > > > "password server = pdc1 pdc2', I can successfully
> > > > authenticate against two entirely different PDCs
> > > > depending on which order I put the two machines in
> > > > the 'password server' list.
> > > >
> > > > Is there someway of forcing clients from either
> > > > domain to authenticate against the 'right' pdc,
> > > > regardless of the order in the 'password server'
> > > > config?
> > > >
> > > > What is the algo for choosing auth server out of a
> > > > list, anyway?
> > > >
> > > > If so it'd be a nice cheap way of getting what
> > > > we would otherwise have to wait for trust relationship
> > > > support for.
> > >
> > > The reason we don't support this already is that while the auth works,
a
> > > *lot* of other things break.
> >
> > But if one PDC trusts the other, then secrutiy=domain will do this stuff
>
> Except that the users would have to be on the server, right? Since
> (according to the docs (smb.conf)) the network logon comes from the
> server, not the workstation.
>
> What precisely does 'on the server' mean anyway? In the smbpasswd
> file? We don't use that; we just have the unix user (/etc/passwd)
>
> Matt
More information about the samba-technical
mailing list