[Samba] Trustdom setup and trusted group management

devel at thom.fr.eu.org devel at thom.fr.eu.org
Thu May 29 12:59:03 GMT 2008 

Hello,

I did join 2 sites using an IPSEC tunnel, and made one domain trust the
other (2 small Samba DC based domains with about 10 users in each)

I first had resolving issues until I decided to keep only one WINS server
for both networks (though this is still an issue to me because if for any
reason the tunnel is broken, I have no longer WINS on one side).

Finally here is my setup :

Network A 1.1.0.0/16 with Samba DC ServA for domain DomA at ip 1.1.254.254
(which also act as IPSEC gateway and firewall).
Network B 2.1.0.0/16 with Samba DC ServB for domain DomB at ip 2.1.254.254
(which also act as IPSEC gateway and firewall).

Browsing is Ok (I think) :

        preferred master = Yes
        local master = Yes
        domain master = Yes
        browse list = Yes
        enhanced browsing = Yes
        remote announce = 1.1.254.254 (2.1.254.254 for ServA)
        remote browse sync = 1.1.254.254 (2.1.254.254 for ServA)

ServB is the WINS for both networks.

        name resolve order = wins host lmhosts bcast
        wins proxy = Yes
        wins support = Yes

All nodes on both networks configured as peer to peer (0x3).
All nodes can access any other whatever the network.

>From here, I setup the trustdom : DomA is the trusted domain and DomB the
trusting one.

the net rpc trustdom establish DomA ran on ServB returned
Unable to join ServA
Successfully joined DomA

>From here, I setup winbindd on ServB to be able to play with DomA users.

        idmap domains = DomA
        idmap alloc backend = tdb
        template homedir = /home/home/%D/%U
        template shell = /bin/false
        winbind separator = \
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = No
        winbind trusted domains only = No
        winbind nested groups = Yes
        winbind nss info = template
        winbind:rpc only = yes
        idmap config DomA:range = 4000-4999
        idmap config DomA:default = Yes
        idmap config DomA:backend = tdb
        idmap alloc config:range = 3000-3999

And here, I have a strange failure : wbinfo -t returns either "checking
the trust secret via RPC calls failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
Could not check secret"
However nmblookup -R -U 2.1.254.254 DomA#1b gives me 1.1.254.254 DomA#1b,
and I can successfully lookup DomA users and groups using both wbinfo -u/g
and getent passwd/group
But, the ids allocated are not in the range given by idmap config
DomA:range = 4000-4999 bu the range in idmap alloc config:range =
3000-3999

This is the first thing I trying to fix.

The other thing now, is how to grant DomA users rights to access and
modify the files/shares/printers from DomB as DomB was so far only managed
using domain groups that were mapped from unix groups.

Anybody can help

-- 
François Legal


Message scanned by ClamAV engine (http://www.clamav.net)
--------------------------------------------------------

More information about the samba mailing list