[Samba] Trustdom setup and trusted group management

Charlie medievalist at gmail.com
Thu May 29 15:07:57 GMT 2008


Yeah, I'm baffled by the relationship between domain trusts and WINS.
There's some sort of weird dependency there that I can't figure out.
lmhosts doesn't seem to help much either.

If you have WAN-linked domains with multiple segments (like most
medium-to-large businesses) you want to have a WINS server per LAN so
that your local networks don't fail every time the phone company
fubars your WAN link.  This is intuitively obvious, but it contradicts
the documentation a little (because the "one WINS server per network"
should actually say "one WINS server per LAN" or possibly "one WINS
server per domain").

Interdomain trusts haven't worked right for me since smbpasswd went
away.  There's a sambaTrustPassword attribute in the LDAP schema file
distributed by the samba team, but no indications of how to use it,
and the "net" toolset doesn't seem to create or modify it.

Sorry this post is no help.  :( If you figure out what exactly the
relationship is between WINS and domain trusts, please post your
findings!

Thanks,
--Charlie


On Thu, May 29, 2008 at 8:59 AM,  <devel at thom.fr.eu.org> wrote:
> Hello,
>
> I did join 2 sites using an IPSEC tunnel, and made one domain trust the
> other (2 small Samba DC based domains with about 10 users in each)
>
> I first had resolving issues until I decided to keep only one WINS server
> for both networks (though this is still an issue to me because if for any
> reason the tunnel is broken, I have no longer WINS on one side).
>
> Finally here is my setup :
>
> Network A 1.1.0.0/16 with Samba DC ServA for domain DomA at ip 1.1.254.254
> (which also act as IPSEC gateway and firewall).
> Network B 2.1.0.0/16 with Samba DC ServB for domain DomB at ip 2.1.254.254
> (which also act as IPSEC gateway and firewall).
>
> Browsing is Ok (I think) :
>
>        preferred master = Yes
>        local master = Yes
>        domain master = Yes
>        browse list = Yes
>        enhanced browsing = Yes
>        remote announce = 1.1.254.254 (2.1.254.254 for ServA)
>        remote browse sync = 1.1.254.254 (2.1.254.254 for ServA)
>
> ServB is the WINS for both networks.
>
>        name resolve order = wins host lmhosts bcast
>        wins proxy = Yes
>        wins support = Yes
>
> All nodes on both networks configured as peer to peer (0x3).
> All nodes can access any other whatever the network.
>
> >From here, I setup the trustdom : DomA is the trusted domain and DomB the
> trusting one.
>
> the net rpc trustdom establish DomA ran on ServB returned
> Unable to join ServA
> Successfully joined DomA
>
> >From here, I setup winbindd on ServB to be able to play with DomA users.
>
>        idmap domains = DomA
>        idmap alloc backend = tdb
>        template homedir = /home/home/%D/%U
>        template shell = /bin/false
>        winbind separator = \
>        winbind enum users = Yes
>        winbind enum groups = Yes
>        winbind use default domain = No
>        winbind trusted domains only = No
>        winbind nested groups = Yes
>        winbind nss info = template
>        winbind:rpc only = yes
>        idmap config DomA:range = 4000-4999
>        idmap config DomA:default = Yes
>        idmap config DomA:backend = tdb
>        idmap alloc config:range = 3000-3999
>
> And here, I have a strange failure : wbinfo -t returns either "checking
> the trust secret via RPC calls failed
> error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
> Could not check secret"
> However nmblookup -R -U 2.1.254.254 DomA#1b gives me 1.1.254.254 DomA#1b,
> and I can successfully lookup DomA users and groups using both wbinfo -u/g
> and getent passwd/group
> But, the ids allocated are not in the range given by idmap config
> DomA:range = 4000-4999 bu the range in idmap alloc config:range =
> 3000-3999
>
> This is the first thing I trying to fix.
>
> The other thing now, is how to grant DomA users rights to access and
> modify the files/shares/printers from DomB as DomB was so far only managed
> using domain groups that were mapped from unix groups.
>
> Anybody can help
>
> --
> François Legal
>
>
> Message scanned by ClamAV engine (http://www.clamav.net)
> --------------------------------------------------------
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>


More information about the samba mailing list