[Samba] Trusted domains within a large enterprise

Adam Wainwright Adam.Wainwright at dsl.pipex.com
Tue Feb 21 22:43:10 GMT 2006 

Hi Folks

I need some advice on whether what I am doing is correct, initially  
from a logical perspective.

My company (E.ON - large utility) has a large ADS system.  We are  
retiring NT4 domains and I have been asked to transfer the SAMBA  
domain log-ins into ADS.  I am initially testing my work on Linux  
RHEL 4, running SAMBA 3.10.

The ADS system consists of a realm/forest PG.EON.NET (old Powergen)  
on server A, a realm/forest RETAIL.PG.EON.NET on server B and a new  
realm/forest UNIX.EONUK.INT on server C.  There is a one-way trust  
system whereby C trusts A and B.  A and B are running native AD on  
W2K3 and C is currently running mixed mode on W2K3.  The idea is to  
place the UNIX machine accounts into C (no user accounts) and use it  
for authentication of users in the RETAIL/PG and eventually other  
areas.  The Windows admin has stated that we should get the thing  
working on mixed mode then he'll transfer the system into native and  
see if we can continue as it is more lax.

I have set-up the kerberos system on the SAMBA server and 'net ads  
join' works fine to the UNIX.EONUK.INT realm.  'wbinfo -u' and  
'wbinfo -g' also work fine and produce accounts such as 'RETAIL 
+FRED'.  I can even do a 'kinit' to get a ticket against the machine  
account.  The number of accounts is ca. 13000 so I have put 'idmap  
uid = 10000 - 40000' into the smb.conf.

I cannot get 'getent' to work, however and I see within the winbindd  
logs that it cannot map ids to SIDs.  I also see within the logs the  
IP addresses of A and B, refusing requests from SAMBA, whereas I was  
under the impression that C would forward on requests for  
authentication or handle them for the SAMBA server(according to the  
Windows admins), and it looks as if it is receiving either  
redirection or 'nmbd' has asked "who's RETAIL.PG.EON.NET'? and got an  
answer to query elsewhere than server C.

The questions I have at this time:

1.  Do I have to be running native mode on the W2K3 server for realm  
UNIX?
2.  Is the one-way trust system here broken/a bit silly?
3.  Is the only way forward to place the SAMBA servers machine  
accounts into the correct realms for each business?
4.  Why does my brain hurt so much?

Confused, and in dire need of help or beer,

Adam


--
Does dim atal y llanw!

More information about the samba mailing list