[Samba] winbind, ntlm_auth and multiple AD domains

lukasz.fiszer lukasz.fiszer at grenoble.cnrs.fr
Tue May 5 10:21:21 GMT 2009


In the organization where I work there are serveral labolatories, each
having its own, independent Active Directory Domain (there are no trust
relationships between them). We want to build a central 802.1x
authentication with users credentials being verified in these AD. To
achieve this we configured a central FreeRadius server + winbind and
ntlm_auth from Samba suite. It works perfectly with one AD, but situation
with multiple AD seems to be very troublesome.

The question is - it is possible to have multiple winbind instances, each
binded to a different AD domain and each being interacted (via FreeRadius)
by a different instance of ntlm_auth? Or maybe it is possible to bind one
winbinnd to more than one domain?

I've managed so far to run multiple instances of winbind (each with a
different configuration), but because of pipe in /tmp/ ntlm_auth interacts
only with the most recent one.

We have already considered other solutions (trust between domains, running
multiple configuration on virtual machines) but from many security,
political and redundancy reasons these are not suitable solutions for us.

Any suggestions will be highly appreciated.

Best regards
Lukasz Fiszer

More information about the samba mailing list