[Samba] Re: Remote Citrix Auth Pass-Through ...

C.Lee Taylor leet at leenx.co.za
Thu Jan 22 17:16:46 GMT 2004

Greetings ...

Andrew Bartlett wrote:

>>	I am posting here, because I believe this a little more technical than 
>>"I can't get my server work?" ...
>This is still not the place.  Samba technical is not technical
>support, it's technical development of Samba.
    Okay, sorry ... done ...

    Sorry for the long delay, but have had other project to try and 
bring up to scratch ...

>>	If I use winbind, I can't setup a PDC.  It was explained to create a 
>>trust between my Samba domain and ADS domain, and this way I should be 
>>able to pass auth through the trust and as I have thought this through, 
>>I believe all my users will belong in ADS domain and all the Machine 
>>accounts would belong in Samba domain, but I can't get the trust working 
>>... I think this is because of the fact the our ADS is in native mode, 
>>and the HowTo only converts Mixed mode, and warns against using/trying 
>>in Native Mode ( somebody's got to try it some time ) ...
>Now this is interesting.  We have the code to handle this, but we
>don't use it.  The RPC backends *should* allow you to handle this, but
>it is suboptimal.
    Okay, following chapter 16 I do ...

    On Win2K3 DC I run the create Trust procdure ( which I should maybe 
put a little step by step down on paper ) ... I found if I had smb 
running when I ran this I would get all sorts of netlogon secure channel 
not working errors ... but if I had start smb long enough for WINS to 
have it listed, then stop smb, it would go through without ask too many 
questions ...

    I would then run ...

    useradd domain-ads
    smbpasswd -a -i domain-ads
    net rpc trustdom establish domain-ads

    All succesful ...

    I then found that I would trust both ways ... works nice from what I 
can see ...

    But my problems is that I would like to use the users in ADS, which 
with this setup, I have to setup Linux users which would then be trusted 
by ADS, but then I will loose all the deligation features that ADS 
brings MicroSoft guys, which is why we are putting this in.

    Is there no way that I could have my users in ADS, with remote Linux 
server supporting netlogon scripts for these users?  This what I am 
really looking for ...

>>	So, I was hoping that somebody might be able to help me, or if I am 
>>missing info ( which I can't think of what to put in here without 
>>flooding the list with information that is not needed ) what would be 
>>best to forward ...
>Start by setting an 'IPC username', with wbinfo --set-auth-user=...
    Which user should I use? After the trush working, I was able to work 
both ways for general stuff ..

>I have a long-term goal of removing the need for a 'security=ADS'
>parameter, moving to more autodetection.  This should help this kind
>of thing a lot, as we can pick up what domains todo what with more
    I have seen you want to do this in past post ... more autodetection 
is kewl if there is no loss of flexiblity or control from a good admin ...


More information about the samba mailing list