[Samba] Domain member, security = ADS|domain and trusts with NT4
Jonathan Johnson
jon at sutinen.com
Thu Jul 12 19:26:42 GMT 2007
After extensive testing, the answer I come up with is "yes, and no."
Jonathan Johnson wrote:
> I presently have a Samba server (3.0.21b) set up as a member server in
> an NT4 domain (with a real Windows NT4 PDC). We are migrating to an
> Active Directory domain (with a real Windows 2003 domain controller).
>
> We have set up a two-way trust between the old NT4 domain "CLUNKY" and
> the new ADS domain "SLEEK" (aka sleek.local). The Samba server is a
> member of the CLUNKY domain (security = domain) and authentication is
> against the PDC for the CLUNKY domain.
>
> How can I ensure that users in both CLUNKY and SLEEK can access the
> Samba server? Will joining the Samba server to SLEEK with security =
> ADS allow this? Will Samba honor the domain trust?
If a share is not restricted with "valid users =", then the user in
SLEEK can access the share on the Samba server in CLUNKY. However, if
you have restrictions on the share such as
valid users = @CLUNKY+sales, CLUNKY+fred
then the user 'fred' in the SLEEK domain will NOT be able to access. You
can grant SLEEK+fred access by modifying:
valid users = @CLUNKY+sales, CLUNKY+fred, SLEEK+fred
so it appears that you can add users in trusted domains to the 'valid
users =' directive. However, groups of trusted domains don't work:
valid users = @CLUNKY+sales, @SLEEK+sales
If 'fred' is a member of the group SLEEK+sales, fred will NOT have
access (assuming the Samba server is in the CLUNKY domain).
-Jonathan Johnson
Sutinen Consulting, Inc.
www.sutinen.com
More information about the samba
mailing list