[Samba] winbind auth using ADS with domain trusts

[John H Terpstra]

On Wednesday 23 November 2005 14:34, you wrote:
> On 11/23/05, John H Terpstra <jht at samba.org> wrote:
> > On Wednesday 23 November 2005 14:03, Shaun Kruger wrote:
> > > In reading the documentation I havn't found anything that covers the
> > > use of winbindd when authenticating against one domain (lets call it
> > > 'A') while also allowing users from a domain trusted by A (lets call it
> > > 'B').
> >
> > What documentation have you read so far?
>
> I've been spending alot of time with the Samba howto collection
> http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/
> I've been reading about domain membership and winbindd

OK. So perhaps are you delving head-first into the mechanic's guide before you 
have mastered deployment? The book, "Samba-3 by Example" is designed to help 
people to deploy Samba-3 BEFORE they start to tinker with its arkane 
features. (see http://www.samba.org/samba/docs/Samba3-ByExample.pdf)

Having a working system before tinkering makes it easier to observe the 
effects of change, and thus aides and accelerates learning.

Chapter 7 of the ByExample book provides information on adding Samba servers 
that are domain members. Mastery of domain member servers will help you with 
interdomain trust handling.

In any case, the Samba3-HOWTO (aka Samba3-HOWTO-Collection)
(see http://www.samba.org/samba/docs/Samba3-HOWTO.pdf) has a few chapters you 
will need to refer to:

	Chapter 18 describes how interdomain trusts can be established
			- create interdomain trusts so that users from one domain
			can access resources in a foreign domain.

	Chapter 11 describes group management concepts.

	Chapter 12 describes the use of the 'net' command
			- you will need to establish nested groups that will be used
			to permit users from trusted domains to access resources 
			that are used in the trusting domain. If you do not do this, 
			foreign domain users and groups will operate with 
			independent UID/GID date thus necessitating relaxation of 
			UNIX file system permissions so that local and foreign users
			can access the same resources.

	Chapter 13 describes IDMAP functionality
			- your foreign user and group SIDs must be translated to
			locally known UID/GID values - that is the role of winbind.
			However it can also be done without winbind - 	in that case 
			the accounts must be capable of being resolved locally on 
			the Samba server.

	Chapter 14 describes user rights and privileges
			- remote administration of a foreign domain is possible
			only through use of these facilities that were new to
			Samba 3.0.11.

Above all, you need to understand how in a pure Windows NT/200x world 
interdomain trusts are used. My documentation does not try to impart that 
knowledge.

I am the first to admit that the HOWTO does not provide a neatly integrated 
guide to setting up a domain member server, nor does it provide a detailed 
document to describe use of interdomain file and directory access. I'd much 
appreciate it if someone would contribute a well documented chapter on these 
subjects.

Despite all this, I strongly believe that the domain controller, backup domain 
controller and domain membership chapters in the HOWTO are in need of 
restructuring. I am working on the next generation documentation that will 
ulitmately replace these chapters - I just do not know when this will be 
implemented due to other priorities.

I believe that the "Samba-3 by Example" is the best place for deployment 
guidance and that the HOWTO should stick to explanation of how Samba features 
function and can be used. The purpose of the HOWTO is NOT to provide 
documented deployment guidance. It is my intent to put further examples of 
use into the Samba-3 by Example book.

- John T.