[Samba] Trusted domain users unwantedly mapping onto local domain users
gaiseric.vandal at gmail.com
Thu Oct 21 16:07:43 MDT 2010
Re ssh - I should try that.
Windows 2003 Native mode- you can't have NT4 BDC's in the domain.
Trusts with NT4 domains are OK (at least should be.) Samba (as a
PDC) emulates an NT4 domain but still seems to use kerberos for locating
DC's (which would make sense if you want it to be an active directory
I also have trusts set up with my samba domain and a Windows 2008 domain
(in Win 2003 mode)- but I haven't tested that much to see if it is
something specific to samba or some weird issue with the windows 2003
FYI- since I went to samba 3.4 from 3.03 idmap does NOT automatically
create entries in LDAP. I had to manually create them in ldap. I had
the entries that samba 3.0.x would create as a template so, for a small
number of users and groups not have big a challenge. (alternately could
use "wbinfo --allocate-gid" and "wbinfo --allocate-uid.")
On 10/21/2010 05:15 PM, Bruce Richardson wrote:
> On Thu, Oct 21, 2010 at 05:02:55PM -0400, Gaiseric Vandal wrote:
>> I have not tried ssh'ing in as a trusted domain user (I definately
>> don't want that available..)
> It's not something I want to make available, but it was an important
> test to prove that winbind was creating the correct idmap entries and
> that this was making functional POSIX accounts available to the Linux
> host. What I don't understand is why Samba isn't mapping the trusted
> domain users onto those accounts.
>> Do you have an entry in krb5.conf for the trusted domain? I think
>> that is more of an issue for locating the DC.
> I do.
>> At some point I changed the forest and domain modes on the Windows
>> 2003 DC from mixed to native. That may have broken something
> I'm surprised anything is working for you. I didn't think trust
> relationships between Samba or NT4 and AD would work at all if AD was in
> native mode.
More information about the samba