[Samba] Re: Trusting and trusted domain (home mapping) problem

[Adrian Chow]

Hi Igor,

Once again, thanks for keeping up with me.  I have been migrating my 
master ldap server to 2.1 version so to keep it the same with the PDCs 
version of LDAP.  Now they are the same.

I have rectified such that "wbinfo -u" on both sides worked now.  I am 
made "net rpc trustdom list" worked.  It was not working before.  I had 
to put "stuadmin = root" in the student PDC's smbusers file.  And I had 
to put "Administrator = root" in the staff's PDC's smbusers file to get 
the "net rpc trustdom list" to work.  I did not have a uid=root you see.

Now "net use x: /home" by the Dom B user (grade2 in this case) on the 
Domain_A_machine still does not work.  The /var/log/samba/Dom_A_machine 
from the Domain_A_PDC will be sent separately as I don want to post it 
on the lists.
The /var/log/samba/Domain_A_PDC from Domain_B_PDC will be sent to you too.

My view on the logs
---------------------
I believe by reading it, it will hold the key why it did not work.  I 
believe during authentication, Domain_A_PDC got the information of 
Domain_B_user from Domain_B_PDC properly.  But it cannot find 
Domain_B\Domain_B_user in the Get_Pwnam_internals function.  It can only 
find Domain_B_user in the Get_Pwnam_internals function!  Now because it 
finds Domain_B_user and not Domain_B\Domain_B_user, Domain_A_PDC will 
NOT use the data that it has gotten from the Domain_B_PDC.

Now, I then think that it has something to do with libnssldap.conf, 
pam_ldap.conf and ldap.conf file.

Here is my config:-
libnssldap.conf, pam_ldap.conf and ldap.conf is configured to see both 
domain's data.
On the smb.conf, the ldapsam backend is ONLY seeing its own domain data.
"getent passwd" on either PDC will see both domain's users.
my nsswitch.conf is doing "compat ldap" rather than "compat winbind". 
Hence "getent passwd" will then give user as "domain_b_user" rather than 
"domain_B\domain_b_user".

Is this the right way to do it?  If I make sure the "getent passwd" is 
ONLY seeing its own domain ,then I cannot login into the other domain !!

Hope when I sent you the files, you will be able to help.  Thanks for 
giving that hope that you made it working before.  Thanks for not 
posting up the logs and the conf files.

Cheers,

adrian


Igor Belyi wrote:
> Adrian Chow wrote:
> 
>> Hi Igor,
>>
>> Here are my smb.conf files for feanor and gloin.  They are the PDCs 
>> for the staff and student domain.  My ldaps in the PDCs are configured 
>> to update to the master LDAP which have the lower version of LDAP.  
>> Upon update the master, the master will then update the slave ldaps 
>> which are the PDCs.
>>  
>>
> Setup looks fine. At least, I don't see any problem with it. The next 
> step then will be to collect 'log level = 5' trace during login and LDAP 
> entries for both users from DomainA and DomainB which you use to test 
> home mounts. But I would recommend to update Samba to 3.0.7 in both PDCs 
> first.
> 
>> I did not post it up to the samba lists cause i wonder would it bleach 
>> the security for my servers.  Hope you understand.  Let me know your 
>> concerns in this.
>>
> I always thought that people avoid posing their config files due to 
> liability problems (don't want their users to know that they have 
> problems) than due to security concerns.. But, I can be wrong and 
> probably this information could be used for mischief. But be warn that 
> smbd logs usually have more information than config files.
> 
> It's fine with me if you don't want to post your config on the list as 
> long as you post the solution to your problem afterwards. :)
> 
> Igor
> 
> 
>