[Samba] winbind auth using ADS with domain trusts
SAMBA
letz_samba at realmspace.com
Sun Dec 4 08:20:34 GMT 2005
I would be interested in contributing, but I have oh so many questions,
once I understand, I will document what I know. For myself, I am
totally not interested in ANY NT style domain functionality, but rather
full 100% pure Active Directory integration. I am now exploring PADL
stuff and Kerberos stuff along with either AD4Unix or SFU3.5. However,
I am concerned over PADL's lack of caching and I'm interested in
winbindd.
I'm also interested in automation of UID/GID generation perhaps with
IDMAP. I would want them written back to AD LDAP, rather than a
separate database. I don't know if it does this already.
I would also be interested in developing my own scheme to how UID/GID
are generated in correlation to SID, so I might avoid IDMAP (or change
it, mumuhuhuhaha).
- Joaquin Menchaca
-----Original Message-----
From: samba-bounces+letz_samba=realmspace.com at lists.samba.org
[mailto:samba-bounces+letz_samba=realmspace.com at lists.samba.org] On
Behalf Of John H Terpstra
Sent: Wednesday, November 23, 2005 2:25 PM
To: Shaun Kruger
Cc: samba at samba.org
Subject: Re: [Samba] winbind auth using ADS with domain trusts
On Wednesday 23 November 2005 14:34, you wrote:
> On 11/23/05, John H Terpstra <jht at samba.org> wrote:
> > On Wednesday 23 November 2005 14:03, Shaun Kruger wrote:
> > > In reading the documentation I havn't found anything that covers
the
> > > use of winbindd when authenticating against one domain (lets call
it
> > > 'A') while also allowing users from a domain trusted by A (lets
call it
> > > 'B').
> >
> > What documentation have you read so far?
>
> I've been spending alot of time with the Samba howto collection
> http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/
> I've been reading about domain membership and winbindd
OK. So perhaps are you delving head-first into the mechanic's guide
before you
have mastered deployment? The book, "Samba-3 by Example" is designed to
help
people to deploy Samba-3 BEFORE they start to tinker with its arkane
features. (see http://www.samba.org/samba/docs/Samba3-ByExample.pdf)
Having a working system before tinkering makes it easier to observe the
effects of change, and thus aides and accelerates learning.
Chapter 7 of the ByExample book provides information on adding Samba
servers
that are domain members. Mastery of domain member servers will help you
with
interdomain trust handling.
In any case, the Samba3-HOWTO (aka Samba3-HOWTO-Collection)
(see http://www.samba.org/samba/docs/Samba3-HOWTO.pdf) has a few
chapters you
will need to refer to:
Chapter 18 describes how interdomain trusts can be established
- create interdomain trusts so that users from
one domain
can access resources in a foreign domain.
Chapter 11 describes group management concepts.
Chapter 12 describes the use of the 'net' command
- you will need to establish nested groups that
will be used
to permit users from trusted domains to access
resources
that are used in the trusting domain. If you do
not do this,
foreign domain users and groups will operate
with
independent UID/GID date thus necessitating
relaxation of
UNIX file system permissions so that local and
foreign users
can access the same resources.
Chapter 13 describes IDMAP functionality
- your foreign user and group SIDs must be
translated to
locally known UID/GID values - that is the role
of winbind.
However it can also be done without winbind -
in that case
the accounts must be capable of being resolved
locally on
the Samba server.
Chapter 14 describes user rights and privileges
- remote administration of a foreign domain is
possible
only through use of these facilities that were
new to
Samba 3.0.11.
Above all, you need to understand how in a pure Windows NT/200x world
interdomain trusts are used. My documentation does not try to impart
that
knowledge.
I am the first to admit that the HOWTO does not provide a neatly
integrated
guide to setting up a domain member server, nor does it provide a
detailed
document to describe use of interdomain file and directory access. I'd
much
appreciate it if someone would contribute a well documented chapter on
these
subjects.
Despite all this, I strongly believe that the domain controller, backup
domain
controller and domain membership chapters in the HOWTO are in need of
restructuring. I am working on the next generation documentation that
will
ulitmately replace these chapters - I just do not know when this will be
implemented due to other priorities.
I believe that the "Samba-3 by Example" is the best place for deployment
guidance and that the HOWTO should stick to explanation of how Samba
features
function and can be used. The purpose of the HOWTO is NOT to provide
documented deployment guidance. It is my intent to put further examples
of
use into the Samba-3 by Example book.
- John T.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list