[Samba] Re: Remote Citrix Auth Pass-Through ...
leet at leenx.co.za
Thu Jan 22 17:16:46 GMT 2004
Andrew Bartlett wrote:
>> I am posting here, because I believe this a little more technical than
>>"I can't get my server work?" ...
>This is still not the place. Samba technical is not technical
>support, it's technical development of Samba.
Okay, sorry ... done ...
Sorry for the long delay, but have had other project to try and
bring up to scratch ...
>> If I use winbind, I can't setup a PDC. It was explained to create a
>>trust between my Samba domain and ADS domain, and this way I should be
>>able to pass auth through the trust and as I have thought this through,
>>I believe all my users will belong in ADS domain and all the Machine
>>accounts would belong in Samba domain, but I can't get the trust working
>>... I think this is because of the fact the our ADS is in native mode,
>>and the HowTo only converts Mixed mode, and warns against using/trying
>>in Native Mode ( somebody's got to try it some time ) ...
>Now this is interesting. We have the code to handle this, but we
>don't use it. The RPC backends *should* allow you to handle this, but
>it is suboptimal.
Okay, following chapter 16 I do ...
On Win2K3 DC I run the create Trust procdure ( which I should maybe
put a little step by step down on paper ) ... I found if I had smb
running when I ran this I would get all sorts of netlogon secure channel
not working errors ... but if I had start smb long enough for WINS to
have it listed, then stop smb, it would go through without ask too many
I would then run ...
smbpasswd -a -i domain-ads
net rpc trustdom establish domain-ads
All succesful ...
I then found that I would trust both ways ... works nice from what I
can see ...
But my problems is that I would like to use the users in ADS, which
with this setup, I have to setup Linux users which would then be trusted
by ADS, but then I will loose all the deligation features that ADS
brings MicroSoft guys, which is why we are putting this in.
Is there no way that I could have my users in ADS, with remote Linux
server supporting netlogon scripts for these users? This what I am
really looking for ...
>> So, I was hoping that somebody might be able to help me, or if I am
>>missing info ( which I can't think of what to put in here without
>>flooding the list with information that is not needed ) what would be
>>best to forward ...
>Start by setting an 'IPC username', with wbinfo --set-auth-user=...
Which user should I use? After the trush working, I was able to work
both ways for general stuff ..
>I have a long-term goal of removing the need for a 'security=ADS'
>parameter, moving to more autodetection. This should help this kind
>of thing a lot, as we can pick up what domains todo what with more
I have seen you want to do this in past post ... more autodetection
is kewl if there is no loss of flexiblity or control from a good admin ...
More information about the samba