[Samba] losing NT4 WAN trust domains with samba-3.0.8+
Adam Cody
ajcody at gmail.com
Fri Dec 17 19:52:25 GMT 2004
If I use any of the binary packages for SuSE SLES9 greater than 3.0.7
I can not see some of my NT4 trust domain via winbind.
We have 5 regular NT 4 domains that trust each other. Two of them our
within our LAN (local subnet), one of these domains the samba machine
is within ... security = domain.
There's another 5 domains that are setup for our AD enviroment for
exchange, mixed mode. Using 3.0.7 and below, if I do a getent passwd I
can see accounts from all 10 domains. If I upgrade to 3.08-3.0.10 I
lose the 3 of the 5 regular NT 4 domains. These domains are not within
my lan, local subnet.
Some possible items from the 3.0.8 release notes that might explain this:
o New experimental idmap backend for assigning uids/gids
directly based on the user/group RID when acting as a
member of single domain without any trusts.
o New experimental idmap backend for assigning uids/gids
directly based on the user/group RID when acting as a
member of single domain without any trusts.
* Fix deadlock loop in winbind's required_membership_sid
verification.
* Bring the same level of "required_membership"-functionality
that ntlm_auth uses, to pam_winbindd as well.
* Add the idmap_rid module (written in conjunction with
Sumit Bose ).
* Prevent idmap_rid from making unnecessary calls to domain
controllers for trusted domains.
Any help would be much appreciated, as it's stopping our windows
fileserver replacement we were going to do during the holiday break.
Adam
_____________________________
**Works with samba 3.0.7 and below, fails with 3.0.8 and above
[global]
workgroup = RICK
interfaces = 127.0.0.1 eth0
bind interfaces only = true
passdb backend = ldapsam:ldap://linuxwest.XXXXXX.com
map to guest = guest
security = domain
encrypt passwords = yes
server string = Samba Server
netbios name = linuxwest
domain master = false
domain logons = no
local master = no
obey pam restrictions = yes
wins server = 172.XX.XXX.1
name resolve order = wins lmhosts hosts
username map = /etc/samba/smbusers
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
ldap suffix = dc=XXXXXX,dc=com
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=ricardo-us,dc=com
idmap backend = ldap:ldap://linuxwest.XXXXXX.com
allow trusted domains = yes
map acl inherit = yes
add user script = /usr/sbin/smbldap-useradd.pl -a -m '%u'
delete user script = /usr/sbin/smbldap-userdel.pl '%u'
add group script = /usr/sbin/smbldap-groupadd.pl -p '%g'
delete group script = /usr/sbin/smbldap-groupdel.pl '%g'
add user to group script = /usr/sbin/smbldap-groupmod.pl -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod.pl -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod.pl -g -%g' '%u'
add machine script = /usr/sbin/smbldap-useradd.pl -w '%u'
host msdfs = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY
deadtime = 3
wins support = no
_________________________________
**Works with samba 3.0.7 and below, fails with 3.0.8 and above
[global]
workgroup = RICARDO
interfaces = 127.0.0.1 eth0
bind interfaces only = true
map to guest = guest
security = domain
encrypt passwords = yes
server string = Samba Server
netbios name = linuxeast
domain master = false
domain logons = no
local master = no
obey pam restrictions = yes
wins server = 172.20.161.1
name resolve order = lmhosts hosts wins bcast
username map = /etc/samba/smbusers
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
allow trusted domains = yes
map acl inherit = yes
host msdfs = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY
deadtime = 3
wins support = no
passdb backend = tdbsam:/etc/samba/passdb.tdb smbpasswd:/etc/samba/smbpasswd
preferred master = auto
_________________________________
/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
hosts: files dns wins
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
passwd_compat: ldap
group_compat: ldap
__________________________________
example pam.d file - login
#%PAM-1.0
auth sufficient pam_winbind.so
auth requisite pam_unix2.so nullok #set_secrpc
auth required pam_securetty.so
auth required pam_nologin.so
auth required pam_homecheck.so
auth required pam_env.so
auth required pam_mail.so
account sufficient pam_winbind.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
session required pam_unix2.so none # debug or trace
session required pam_limits.so
session required pam_homecheck.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
More information about the samba
mailing list