[Samba] Trust relationship and LDAP backend

simo idra at samba.org
Thu May 11 13:18:11 GMT 2006

On Thu, 2006-05-11 at 08:42 -0300, Carlos Eduardo Pedroza Santiviago
> Hi,
> I have a domain using LDAP backend, and recently we've managed to establish
> a trust relation with another domain in our network, which uses a pure NT4
> server. After that, some accounts from the trusted domain started being
> created in our base. The user created doesn't have the same attributes as a
> valid user (he doesn't have sambaSamAccount, for example). But for auditing
> purposes, this shouldn't happen.
> Is this a normal behaviour?

if you don't use winbindd (nss_winbindd) it is. Samba needs a posix user
to be able to accept any login on the server. if you run winbindd in
trusted domain only mode then it will create posix accounts for you on
the fly (allocating them out of the idmap uid range).

If you do not provide corresponding posix accounts for trusted users
then samba will try to create users in the local account storage by
means of the add user account scripts. (But it will not populate them
with windows account attributes because they are not local accounts, and
all the information is retrieved by the remote trusted server).

I recommend you to use winbindd in such environment, it will not only
keep your ldap tree clear but it will also act as a connection proxy and
will lessen the oad on your DCs as well do some caching.


Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org

More information about the samba mailing list