[Samba] Samba as AD domain member

Wright, Tim (ANTS) tim.wright at ants.co.uk
Sun Feb 22 18:37:58 GMT 2004 

Have answered some of my own questions by RTFM ( see below ).

Still interested to know if anyone has any ideas on replicating tdbs or if
ldap backend is much easier.

Also is there any way to get a user in a trusted domain with a unix account
on the server to exhibit the same behaviour as that which you get with
"winbind trusted domains only = yes" for the samba server domain i.e. is
there anyway to extend the behaviour to have a list of domains for which
winbind id mapping should not happen is an existing unix account is in
place?

any info would be greatly appreciated.

thanks

tim

-----Original Message-----
From: samba-bounces+unix.services=ants.co.uk at lists.samba.org
[mailto:samba-bounces+unix.services=ants.co.uk at lists.samba.org] On Behalf Of
Wright, Tim (ANTS)
Sent: 20 February 2004 14:17
To: 'samba at lists.samba.org'
Subject: [Samba] Samba as AD domain member



Hi

we're running 3.0.1 on Solaris 9 ( with NIS/flat files as the NS ) as a
member server of the AD domain ( via kinit and then net join ).
there's a couple of things we've noticed and I'm not sure if they're just
the way it works or configuration problems:

(1) we assign the gid an uid mappings with idmap in smb.conf and I thought
that winbindd would not assign uid/gids if they already present which
appears not to be the case? 

No it isn't the case as the smb.conf man page very clearly states

(2) all we are using winbindd for is to give access to file shares ( not for
logging into the unix server with AD account or anything ), and we seem to
have a slight issue in that 
(i) a AD user with no unix account accesses a share and winbindd creates a
unix account fot it and it is gtranted access to the share if  it satisfies
the valid users etc - good
(ii) a AD user with a valid unix account ( with the same username in AD and
NIS ) tries to access a share and sambd now validates the user as
AD\username rather than just username - bad

If you set winbind trusted domains only = yes then this is fine for users in
the same AD domain as the Samba server.

(3) Occasionally things just seem to stop working and the only way I can
find to fix it is to clear out the lockdir of all tdb files and restart (
symptoms will be things like net status sessions hangs, net groupmap list
hangs, wbinfo -r starts having issues )

(4) The samba stuff is running on a cluster ( active passive with dameons
running on both nodes all the time and just the share configuration failing
over ) - is there any way of ensuring that the tdb files are consistent
between the two ( I saw something on this list about a similar issue with a
backup print server ) - I'm I right in thinking we could set up an ldap
backend to store the tdb information ( if so is this advisable or is it
going to complicate things too much ).



thanks

tim


***************************************************************************
This communication (including any attachments) contains confidential
information.  If you are not the intended recipient and you have received
this communication in error, you should destroy it without copying,
disclosing or otherwise using its contents.  Please notify the sender
immediately of the error.

Internet communications are not necessarily secure and may be intercepted or
changed after they are sent.  Abbey National Treasury Services plc does not
accept liability for any loss you may suffer as a result of interception or
any liability for such changes.  If you wish to confirm the origin or
content of this communication, please contact the sender by using an
alternative means of communication.

This communication does not create or modify any contract and, unless
otherwise stated, is not intended to be contractually binding.

Abbey National Treasury Services plc. Registered Office:  Abbey National
House, 2 Triton Square, Regents Place, London NW1 3AN.  Registered in
England under Company Registration Number: 2338548.  Regulated by the
Financial Services Authority (FSA).
***************************************************************************

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


***************************************************************************
This communication (including any attachments) contains confidential information.  If you are not the intended recipient and you have received this communication in error, you should destroy it without copying, disclosing or otherwise using its contents.  Please notify the sender immediately of the error.

Internet communications are not necessarily secure and may be intercepted or changed after they are sent.  Abbey National Treasury Services plc does not accept liability for any loss you may suffer as a result of interception or any liability for such changes.  If you wish to confirm the origin or content of this communication, please contact the sender by using an alternative means of communication.

This communication does not create or modify any contract and, unless otherwise stated, is not intended to be contractually binding.

Abbey National Treasury Services plc. Registered Office:  Abbey National House, 2 Triton Square, Regents Place, London NW1 3AN.  Registered in England under Company Registration Number: 2338548.  Regulated by the Financial Services Authority (FSA).
***************************************************************************

More information about the samba mailing list