[Samba] trusted domains - samba user authentification

Wed May 29 01:18:02 GMT 2002

I have a similar setup - Multiple domains with trusts, and Samba 2.2.4
instances on Solaris and IRIX joined to a Windows2000 domain.

There seems no way in the username.map file to distinguish between users on
different domains (trusting each other) with the same username.

For example, If I have an entry in the username.map file "fredf =
flintstone_f", then the NT user flintstone_f in any domain trusted by the
domain the samba server is a member of is mapped to the unix user fredf.

The good news seems to be that samba does know about domains.
Authentication errors reported in log.smbd mention a username, password
server _and_ the domain they tried to authenticate against.

Anyone else come across the same issue?

Is this functionality planned for 2.2.x, or is it in 3.x?

Cheers,

Gavin Timmins

 Company Legal Notice:
 ********************
 Pfizer Limited is registered in the UK. Company Number 526209

> -----Original Message-----
> From: samba-admin at lists.samba.org
> [mailto:samba-admin at lists.samba.org]On
> Behalf Of Hitzler Ronald
> Sent: 29 May 2002 08:35
> To: 'samba at lists.samba.org'
> Subject: [Samba] trusted domains - samba user authentification
>
>
> Hi!
>
> Background: We have a normal NT 4.0 Domain called AIRPORT and
> a Windows 2000
> Domain (server is in mixed mode) called MAIL. Connected to the AIRPORT
> Domain is a Samba 2.0.6 Server with security = domain. Both
> domains are
> trusting each other.
>
> I've a little problem understanding the user authentification with the
> trusted
> MAIL domain. I'll it explain with a little example:
>
> We have a user called "testuser" on both domains (AIRPORT\testuser and
> MAIL\testuser). If I create a share on the AIRPORT PDC
> (WINDOWS NT 4.0) for
> the user "testuser", I can access it from AIRPORT. If I logon
> to MAIL, I'm
> not allowed to access it. If I expnad the user rights to
> MAIL\testuser I can
> access again. So far no problem.
>
> BUT: If I make a samba share (rember: the samba server is using domain
> security
> and it's connected to AIRPORT) for our testuser there is no
> difference which
> domain
> I use for login. If I logon to MAIL I also have access to the
> Samba Share.
>
> It looks like samba makes no difference between MAIL\testuser and
> AIRPORT\testuser.
>
> Now my questions: Is it right, that samba doesn't consider
> the "Domain-Part"
> of the username if the domains are trusted?
> Is it a missing feature or "should it be as it is"?
> Or I am just too stupid to understand the whole trusted-thing?
>
> Thanks for your help!
>
> --------------------------------------------------------------
> -------------
> Ronald Hitzler
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>