[Samba] Problems on HP-UX 11i with 'user add script'
John H Terpstra
jht at Samba.Org
Tue Jan 4 22:33:56 GMT 2005
On Tuesday 04 January 2005 14:49, Ryan Novosielski wrote:
> This one doesn't make any sense to me. What's worse, it seems to
> occasionally work and sometimes not. I am attempting to log into a domain
> (DOMA let's say) and I only have an account on DOMB. When DOMA's Samba PDC
> attempts to create a UNIX account for me, this is what happens:
>
...
> ...when running that command from a shell, it does not exit 1. I can't
> figure out why it does that, or why there is a problem with the
> netsamlogon_cache.tdb. I read something about requiring Winbindd, but I
> don't see how my situation (two Samba PDC's with a trust relationship
> between the two different domains) requires Winbindd, unless Winbindd
> running would keep me from having to do 'add user script' work (simply
> using the same accounting info via NSS that it is getting from Samba).
>
> Can someone shed some light on this for me? The docs are not making it
> clearer.
Let's consider an example:
DOMA has a user 'freddy' with UID=2349
DOMB has a user 'freddy' with UID=5412
DOMA\freddy has SID='S-1-5-21-12345678-12345678-12345678-4698
DOMB\freddy has SID='S-1-5-21-87654321-87654321-87654321-10824
There is a two-way trust relationship between DOMA and DOMB. The method for
establishing interdomain trusts is documented in the Samba-HOWTO-Collection.
There is a chapter on it.
DOMA\freddy is an entirely different person from DOMB\freddy. One is the CEO
and the other the janitor. I guess the CEO of DOMA would not like the janitor
of DOMB to have access to his files.
What happens with your method? My guess:
DOMB\freddy accesses DOMA and inherits DOMA\freddy file access permissions.
After all, what is there to distinguish DOMA\freddy from DOMAB\freddy - they
will have the same account name because you will not create a new account by
calling the user add script if the local account already exists. In other
words DOMA\freddy is the same user as DOMB\freddy in your configuration.
With winbind, DOMB\freddy will on access to the DOMA domain be allocated a UID
out of the IDMAP UID pool, and for all intents and purposes will be an
entirely different user from DOMA\freddy.
Does that clear up why you need to use winbind? The other reason is that
winbind caches the domain credentials for each trusted domain thus making the
entire network operation more efficient.
I hope this helps. This should be in the HOWTO-Collection - if not it must be
added. I'll check and update this too.
- John T.
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.
More information about the samba
mailing list