[Samba] Proper behavior of Interdomain Trust uid mappings

Ian Clancy clancyian at cel.ie
Tue Jun 14 23:26:44 GMT 2005

Robert Kelly wrote:

>Hi there,
>I'm running Samba 3.0.14a-sernet on Suse 9.1 using ldapsam.
>I've got an interdomain trust setup across a vpn connection with a
>2k3sp1 domain (DOMB).
>The trust works.
I have a similar setup to yourself except i have 2 samba domains accross 
a VPN.

>What is strange is that a user from DOMB can't access any shares until
>they browse a share on our domain controller, say netlogon, then samba
>creates a new posix account for them in the ou=users base.
I spent quite a while myself trying to figure this out. I'm not sure if 
what i have done is correct but in nsswitch.conf i have :
passwd:     files ldap winbind
shadow:     files ldap winbind
group:      files ldap winbind

winbind is used to give the foreign sid's from the trusted domain uid on 
your PDC or Domain member Server

>I have nsswitch.conf using ldap, and samba configured to use winbind as
>per the howto. Same wins etc.
>What isn't clear to me is why the user account gets created as a regular
>account and not in the ou=idmap base.
I had this same problem until i added winbind to the nsswitch.conf file. 
Can you see the users from the trusted domain when you enter 'wbinfo -u 
' at the shell ?

>Shouldn't just a sambaIdmapEntry object be created in ou=IdMap and not a
>posixaccount in ou=users?
>The account gets created with a uid from the regular users range not
>from the idmap uid range and still gets created when winbind is stopped.
>I've read Chapter 18. Interdomain Trust Relationships over and over
>again, but need some suggestions on the correct way to setup winbind on
>a domain controller when using a trust.
>Any clues?
The book is not very clear on this. It took me some time to figure it out


Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Co. Galway,

P : ++353 93 23151
F : ++353 93 23110
E : mailto:clancyian at cel.ie
W : http://www.cel-europe.com

More information about the samba mailing list