[Samba] auth to two diff PDCs? (success, sort of)

Collins, Kevin KCollins at nesbittengineering.com
Mon Oct 28 13:39:01 GMT 2002 

Hi All:

Excuse me for butting in here, but I'm planning a migration from WinNT 4
to Samba in the near future and this thread has caused me to worry a
little.

Take the case that I'm planning:  3 Domains each to its own LAN
(connected via 128k Frame Relay lines to form a WAN) Each domain
currently has a NT 4 PDC and each domain "trusts" each other.  How do I
accomplish these "trusts" only using Samba PDCs?

Meaning:  If I rip out the NT Domains, replace the PDCs with Samba PDCs
and rebuild new domains (new Domain Names, new NetBIOS names for the
PDCs, etc.)  How do I get the three domains to once again trust each
other?  Is there a Samba command to do this?

Thanks,

Kevin L. Collins, MCSE
Systems Manager
Nesbitt Engineering, Inc.


> -----Original Message-----
> From: Mathew McKernan [mailto:mathewmckernan at optushome.com.au]
> Sent: Monday, October 28, 2002 2:39 AM
> To: Matthew Hannigan; Andrew Bartlett
> Cc: Matthew Hannigan; samba at lists.samba.org; samba-technical at samba.org
> Subject: Re: [Samba] auth to two diff PDCs? (success, sort of)
> 
> 
> Hi Matthew,
> 
> Andrew is talking about domain trusts here. When the client asks for a
> connection to a share or the samba server itself, the samba 
> daemon will
> check if the user is valid to the PDC. Domain trusts enable 2 
> domains to
> "know" each others users.
> 
> However in some cases this is dangerous, in my situation at 
> work, we have 2
> LANs (physically seperate) and have seperate NT Domains for 
> that reason.
> However we wanted to allow staff to logon to either domain 
> but have access
> to their home drive. To solve this we ran 2 copies of samba 
> (installed to
> different locations) and each copy is a member of the domain 
> they are to
> serve. Then using the "interfaces" config option in smb.conf 
> we force each
> copy of samba to bind to the LAN it serves.
> 
> In your case it sounds as if you are running one LAN but with 
> 2 domains that
> don't trust each other. Either establish a trust between the 
> two LANs, or
> use the method above. You will need to set the name 
> differently for each
> copy of Samba, using "netbios name" in smb.conf, or you will 
> get conflicts.
> 
> Thanks
> 
> Mathew
> 
> 
> ----- Original Message -----
> From: "Matthew Hannigan" <mlh at zip.com.au>
> To: "Andrew Bartlett" <abartlet at samba.org>
> Cc: "Matthew Hannigan" <mlh at zip.com.au>; <samba at lists.samba.org>;
> <samba-technical at samba.org>
> Sent: Monday, October 28, 2002 5:25 PM
> Subject: Re: [Samba] auth to two diff PDCs? (success, sort of)
> 
> 
> > On Mon, Oct 28, 2002 at 04:56:03PM +1100, Andrew Bartlett wrote:
> > > Andrew Bartlett wrote:
> > > >
> > > > Matthew Hannigan wrote:
> > > > >
> > > > > With a single server, settings "security = server"  and
> > > > > "password server =  pdc1 pdc2', I can successfully
> > > > > authenticate against two entirely different PDCs
> > > > > depending on which order I put the two machines in
> > > > > the 'password server' list.
> > > > >
> > > > > Is there someway of forcing clients from either
> > > > > domain to authenticate against the 'right' pdc,
> > > > > regardless of the order in the 'password server'
> > > > > config?
> > > > >
> > > > > What is the algo for choosing auth server out of a
> > > > > list, anyway?
> > > > >
> > > > > If so it'd be a nice cheap way of getting what
> > > > > we would otherwise have to wait for trust relationship
> > > > > support for.
> > > >
> > > > The reason we don't support this already is that while 
> the auth works,
> a
> > > > *lot* of other things break.
> > >
> > > But if one PDC trusts the other, then secrutiy=domain 
> will do this stuff
> >
> > Except that the users would have to be on the server, right? Since
> > (according to the docs (smb.conf)) the network logon comes from the
> > server, not the workstation.
> >
> > What precisely does 'on the server' mean anyway?  In the smbpasswd
> > file?  We don't use that; we just have the unix user (/etc/passwd)
> >
> > Matt
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2270 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20021028/8e081213/smime.bin

More information about the samba mailing list