[Samba] Samba NT4 trusting AD

Hoogstraten, Ton Ton.Hoogstraten at ingram.nl
Wed Jun 14 10:14:35 GMT 2006


Hi,
 
I'm currently working on getting our site migrated from a NT4 domain into an
AD domain. 2-way trusts have been established. The idea is that with SID
history users in the AD domain can access their files on the samba server in
the NT4 domain. This works for an unknown time interval. with the AD account
I can access the shares through the sid history in the NT4 domain joined
samba server.
 
Winbind is used for user auth. Say for example my NT4 user gets mapped to
the uid 10000. I access the server from my AD account which will at that
stage revert to 10000 form my NT4 account. After an unknown time interval
this stops working. All of a sudden my AD account for example will resolve
to uid 100011 and cannot access the shares where uid 10000 has permission
for. If I run a 'getent passwd' I get all users returned from winbind with
the last returned uid is 10010. After the unknown time interval the AD
account with SID History falls outside the range returned by winbind.
 
If I restart the winbind and smb services together everything is working
again. the AD account is once again goes through as the NT4 uid 10000. Then
after a while (I really don't know the time that is passing, it's different
everytime) this stops working and I end up with the AD account resolving as
100011 which falls outside the range returned by winbind.
 
I need to restart both the smb services and the winbind service to get it
working again from a short while. If I only restart smb services or the
winbind service it does not work.
 
Does anybody know what is causing this and hopefully also can fix this?
 
If not, does anybody know how I can get the NT4 domain and the AD domain
both enummerated in winbind so I can temporarily fix this by allowing AD
users and groups to be assigned to shares and file permissions?
 
for aslong as the migration will take I need both the NT4 domain and the AD
domain to be able to access shares on the samba server.
 
Many thanks in advance,
 
Ton Hoogstraten


More information about the samba mailing list