[Samba] Interdomain Trusts & winbind

john at hytronix.com john at hytronix.com
Wed Jun 29 08:00:48 MDT 2011


Hi List,

In an effort to keep this succinct and orderly I'll briefly state what I'm
trying to do:

I have two samba domains, DOM1 and DOM2.  They are on separate subnets and
all IP routing is configured.

DOM1 has ~100 users on one samba DC and uses the ldap backend.  Works
great and has been in service for a while.  Samba version is 3.0.29.

DOM2 has ~10 users on one samba DC and uses the tdb backend.  These users
have the same UNIX usernames,uids, and gids on DOM1.  The group mappings
from UNIX groups to domain groups are the same on both DCs. Samba version
is 3.5.9.

I set up trust accounts and established the trusts.  Both DCs trust each
other.  net rpc trustdom list on each shows this correctly.

I had some trouble with getting the browse lists to propagate to each
other, so I added static entries for each DC in the other's wins.dat. 
This took care of browsing, which now works.

THE PROBLEM:

Log in to DOM2.  Browse to a share on DOM1.  If the share's permissions
are set to the primary group of the connecting user (all user's primary
group is samba, gid 1000) then access to the share succeeds.  If the
share's permissions are of a user's supplemental group, access to the
share is denied.

WHAT I TRIED:

I initially thought that identical group names/gids and user names/uids
and identical group maps would allow trusted domains to access each other,
but some reading demonstrated that I need to use winbind, at least on
DOM1's DC, in order for the above scenario to work.

I allocated a winbind map pool on both DCs and started winbindd.

Result:  The DC on DOM2 can see all of the local users as well as all the
users on DOM1 with wbinfo -u.  wbinfo -u fails to show *anything* when run
on the DC on DOM1.  Winbind also had no effect on share access.

Suggestions anyone?  I can post whatever portions of an smb.conf that
might be helpful of course.

Thanks,

-JE




More information about the samba mailing list