Remote Citrix Auth Pass-Through ...

Andrew Bartlett abartlet at
Sat Jan 10 08:13:36 GMT 2004

On Sat, Jan 10, 2004 at 09:30:48AM +0200, C.Lee Taylor wrote:
> Greetings ...
> 	I am posting here, because I believe this a little more technical than 
> "I can't get my server work?" ...

This is still not the place.  Samba technical is not technical
support, it's technical development of Samba.

> 	A little background ...
> 	We have been force by our head office to use AD and Citrix, not a bad 
> combo, but I like my Linux Servers and don't wish to loose them, so I 
> have been working toward's and means to keep them and get our company 
> what they want ...
> 	We have 2xWin2K3 ADS DC server, and expect to have more than one Citrix 
> server.  My remote clients should be running Win9X or Win2K Clients off 
> an Linux File/Print/Mail server, which I have upgraded to FC1 and self 
> compiled Samba 3.0.2pre1 ( still test system ) ...
> 	Now my two problems, which one of the developers did give me a general 
> idea of what to do, but it did not work (sorry, I can't remember who it 
> was ) ...
> 	My remote clients, I would like to log into Samba as if it was a PDC, 
> so that I can run logging scripts and join them the domain ... Currently 
> I am using Samba with LDAP and this works fine, but introducing ADS and 
> Citrix now has broken then very nice setup ... I don't wish to lose 
> flexibility or functionality by introducing winbind, which is what has 
> happened with my tests.

If you wan tto use the central accounts and passwords, you will need
to use winbind.

> 	If I use winbind, I can't setup a PDC.  It was explained to create a 
> trust between my Samba domain and ADS domain, and this way I should be 
> able to pass auth through the trust and as I have thought this through, 
> I believe all my users will belong in ADS domain and all the Machine 
> accounts would belong in Samba domain, but I can't get the trust working 
> ... I think this is because of the fact the our ADS is in native mode, 
> and the HowTo only converts Mixed mode, and warns against using/trying 
> in Native Mode ( somebody's got to try it some time ) ...

Now this is interesting.  We have the code to handle this, but we
don't use it.  The RPC backends *should* allow you to handle this, but
it is suboptimal.

> 	So, I was hoping that somebody might be able to help me, or if I am 
> missing info ( which I can't think of what to put in here without 
> flooding the list with information that is not needed ) what would be 
> best to forward ...

Start by setting an 'IPC username', with wbinfo --set-auth-user=...

> 	I don't have much control over the ADS system, some very basic stuff, 
> but I will not be able to convince the powers that be to switch it to 
> Mixed Mode ...
> 	Please can any body with some insight, give me a hand ( and a nice cool 
> slap in the face is not what I am looking for ... given myself enough of 
> them ... )

I have a long-term goal of removing the need for a 'security=ADS'
parameter, moving to more autodetection.  This should help this kind
of thing a lot, as we can pick up what domains todo what with more

Andrew Bartlett

More information about the samba-technical mailing list