[Samba] Domain trust between a Samba PDC domain and W2K ADdomain

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Jan 5 16:01:32 MST 2011


most of the procedure for setting up trusts is in the docs on the 
samba.org site.    The idmap stuff is tricky since the mechanics seem to 
change with each samba version.

Once you have set up trusts, you want to make sure that the samba 
machine sees the AD users and groups with "wbinfo -u" and "wbinfo -g."   
(usually pretty easy to get to this part.)  Then you want to update 
nsswitch.conf to make sure "getent passwd" and "getent group" also shows 
the AD users.   (this relies on the idmap stuff working.)

-------- Original Message --------
Subject: 	Re: [Samba] Domain trust between a Samba PDC domain and W2K 
Date: 	Wed, 05 Jan 2011 17:53:48 -0500
From: 	Gaiseric Vandal <gaiseric.vandal at gmail.com>
Reply-To: 	gaiseric.vandal at gmail.com
To: 	samba at lists.samba.org

I have a samba domain (Samba 3.4.x PDC) and a Windows 2003 (in 2003
native mode) domain.   Trusts MOSTLY work-  having Samba recognize AD
users is a little trickier.

For samba to trust windows, make sure you have idmap info defined in
smb.conf.  I have an ldap backend-  it may not be quite correct.

idmap alloc backend = ldap
idmap alloc config:ldap_url = ldap://ldap1.mydomain.com
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com
idmap alloc config:ldap_user_dn = cn=xxxx
idmap alloc config:range = 30000 - 79999

idmap config WINDOMAIN:backend = ldap
idmap config WINDOMAIN:readonly = no
idmap config WINDOMAIN:default=no
idmap config WINDOMAIN:ldap_base_dn = ou=windomain,ou=idmap,o=mydomain.com
idmap config WINDOMAIN:ldap_user_dn = cn=xxxx
idmap config WINDOMAIN:ldap_url = ldap://ldap1.mydomain.com
idmap config WINDOMAIN:range = 30000-39999

I would also make sure that both the samba and windows DC use the same
WINS server.
You may want to have them use the same DNS server-  or at least make
sure that the DNS server each is using supports the AD DNS stuff from
the windows domain.

On the samba PDC, I also added an entry in krb5.conf for the trusted
domain.  Not sure if that really mattered.    Samba logs indicated it
was looking for the kdc for the administration domain.

On 01/05/2011 04:52 PM, tms3 at tms3.com wrote:
>>  Hi people.
>>  I'm working on a trust relation between Samba 3.3.X and Windows 2003
>>  AD mixed mode.
>>  I have read the doc about this but for some reason wont work, my
>>  PDC+LDAP is working but I still cannot make this 2 servers share
>>  users.
>  In my experience, it is fairly straightforward to get AD users trusted
>  by the Samba controlled Domain, although granualar file permissions
>  are tricky at best.  In the opposite direction, this is quite
>  difficult, unless the AD domain is in the very old now, mixed mode.
>>  Could u please give me the process u use to create the relation
>>  between win2k3(in/out) and  samba?
>>  I will appreciated, thanks!!!
>>  -- 
>>  LIving the dream...
>>  -- 
>>  To unsubscribe from this list go to the following URL and read the
>>  instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list