[Samba] Problems on HP-UX 11i with 'user add script'

John H Terpstra jht at Samba.Org
Tue Jan 4 22:33:56 GMT 2005 

On Tuesday 04 January 2005 14:49, Ryan Novosielski wrote:
> This one doesn't make any sense to me. What's worse, it seems to
> occasionally work and sometimes not. I am attempting to log into a domain
> (DOMA let's say) and I only have an account on DOMB. When DOMA's Samba PDC
> attempts to create a UNIX account for me, this is what happens:
>
...
> ...when running that command from a shell, it does not exit 1. I can't
> figure out why it does that, or why there is a problem with the
> netsamlogon_cache.tdb. I read something about requiring Winbindd, but I
> don't see how my situation (two Samba PDC's with a trust relationship
> between the two different domains) requires Winbindd, unless Winbindd
> running would keep me from having to do 'add user script' work (simply
> using the same accounting info via NSS that it is getting from Samba).
>
> Can someone shed some light on this for me? The docs are not making it
> clearer.

Let's consider an example:

DOMA has a user 'freddy' with UID=2349
DOMB has a user 'freddy' with UID=5412

DOMA\freddy has SID='S-1-5-21-12345678-12345678-12345678-4698
DOMB\freddy has SID='S-1-5-21-87654321-87654321-87654321-10824

There is a two-way trust relationship between DOMA and DOMB. The method for 
establishing interdomain trusts is documented in the Samba-HOWTO-Collection. 
There is a chapter on it.

DOMA\freddy is an entirely different person from DOMB\freddy. One is the CEO 
and the other the janitor. I guess the CEO of DOMA would not like the janitor 
of DOMB to have access to his files.

What happens with your method? My guess:
DOMB\freddy accesses DOMA and inherits DOMA\freddy file access permissions.
After all, what is there to distinguish DOMA\freddy from DOMAB\freddy - they 
will have the same account name because you will not create a new account by 
calling the user add script if the local account already exists. In other 
words DOMA\freddy is the same user as DOMB\freddy in your configuration.

With winbind, DOMB\freddy will on access to the DOMA domain be allocated a UID 
out of the IDMAP UID pool, and for all intents and purposes will be an 
entirely different user from DOMA\freddy.

Does that clear up why you need to use winbind? The other reason is that 
winbind caches the domain credentials for each trusted domain thus making the 
entire network operation more efficient.

I hope this helps. This should be in the HOWTO-Collection - if not it must be 
added. I'll check and update this too.

- John T.
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

More information about the samba mailing list