[Samba] Trusted domain users unwantedly mapping onto local domain users

[Gaiseric Vandal]

Re ssh -  I should try that.

Windows 2003 Native mode-  you can't have NT4 BDC's in the domain.   
Trusts with NT4 domains are OK (at least should be.)     Samba  (as a 
PDC) emulates an NT4 domain but still seems to use kerberos for locating 
DC's (which would make sense if you want it to be an active directory 
domain member.)

I also have trusts set up with my samba domain and a Windows 2008 domain 
(in Win 2003 mode)-  but I haven't tested that much to see if it is 
something specific to samba or some weird issue with the windows 2003 
domain.

FYI-  since  I went to samba 3.4 from 3.03 idmap does NOT automatically 
create entries in LDAP.  I had to manually create them in ldap.  I had 
the entries that samba 3.0.x would create as a template so, for a small 
number of users and groups not have big a challenge.  (alternately could 
use "wbinfo --allocate-gid" and "wbinfo --allocate-uid.")



On 10/21/2010 05:15 PM, Bruce Richardson wrote:
> On Thu, Oct 21, 2010 at 05:02:55PM -0400, Gaiseric Vandal wrote:
>    
>> I have not tried ssh'ing in as a trusted domain user (I definately
>> don't want that available..)
>>      
> It's not something I want to make available, but it was an important
> test to prove that winbind was creating the correct idmap entries and
> that this was making functional POSIX accounts available to the Linux
> host.  What I don't understand is why Samba isn't mapping the trusted
> domain users onto those accounts.
>
>    
>> Do you have an entry in krb5.conf for the trusted domain?  I think
>> that is more of an issue for locating the DC.
>>      
> I do.
>
>    
>> At some point I changed the forest and domain modes on the Windows
>> 2003 DC from mixed to native.  That may have broken something
>>      
> I'm surprised anything is working for you.  I didn't think trust
> relationships between Samba or NT4 and AD would work at all if AD was in
> native mode.
>
>