[Samba] Proper behavior of Interdomain Trust uid mappings
clancyian at cel.ie
Tue Jun 14 23:26:44 GMT 2005
Robert Kelly wrote:
>I'm running Samba 3.0.14a-sernet on Suse 9.1 using ldapsam.
>I've got an interdomain trust setup across a vpn connection with a
>2k3sp1 domain (DOMB).
>The trust works.
I have a similar setup to yourself except i have 2 samba domains accross
>What is strange is that a user from DOMB can't access any shares until
>they browse a share on our domain controller, say netlogon, then samba
>creates a new posix account for them in the ou=users base.
I spent quite a while myself trying to figure this out. I'm not sure if
what i have done is correct but in nsswitch.conf i have :
passwd: files ldap winbind
shadow: files ldap winbind
group: files ldap winbind
winbind is used to give the foreign sid's from the trusted domain uid on
your PDC or Domain member Server
>I have nsswitch.conf using ldap, and samba configured to use winbind as
>per the howto. Same wins etc.
>What isn't clear to me is why the user account gets created as a regular
>account and not in the ou=idmap base.
I had this same problem until i added winbind to the nsswitch.conf file.
Can you see the users from the trusted domain when you enter 'wbinfo -u
' at the shell ?
>Shouldn't just a sambaIdmapEntry object be created in ou=IdMap and not a
>posixaccount in ou=users?
>The account gets created with a uid from the regular users range not
>from the idmap uid range and still gets created when winbind is stopped.
>I've read Chapter 18. Interdomain Trust Relationships over and over
>again, but need some suggestions on the correct way to setup winbind on
>a domain controller when using a trust.
The book is not very clear on this. It took me some time to figure it out
IT Systems Engineer
Connaught Electronics Ltd.
P : ++353 93 23151
F : ++353 93 23110
E : mailto:clancyian at cel.ie
W : http://www.cel-europe.com
More information about the samba