[Samba] Samba with clients in multiple domains

Daniel Müller mueller at tropenklinik.de
Fri Feb 10 04:49:54 MST 2012


Hello again,
first of all do the 2 domains(Windows Domain?) trust each other.
Let the samba be a member server of one of the domains:
Ex could be:

[global] 
workgroup = yourdomain 
security = DOMAIN (or ads?)
smb ports = 139 
...
 idmap domains = Domain1 Domain2
 ...
 idmap config Domain1 : backend = ad  #(or rid?)
 idmap config Domain1 : range = 10001-20000
 ...
 idmap config Domain2 : backend = ad #(or rid?)
 idmap config Domain2 : range = 20001-30000
winbind separator = + 


If so you can have winbind doing the job for you.

Google for winbind 2 domains

Good Luck


-----------------------------------------------
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von Battersby-Cornmell, Robin
Gesendet: Freitag, 10. Februar 2012 12:13
An: 'samba at lists.samba.org'
Betreff: [Samba] Samba with clients in multiple domains

Dear all,

I've not got a good starting point I'm afraid, but I was forced to deploy
Samba under pressure of failing hardware so an urgent migration was done. We
didn't get the IBM AIX 6.1 supplied one running at all, so we pulled down
the samba.org version 3.4.3. We couldn't get that working as we wished, but
it did at least share. It has been merrily allowing any request to mount
(read-only) the shares. All was well with the function, but obviously it is
not appropriate for the sensitive data was are sharing. The setting I had to
put in was security=SHARE and on each share, we have guest login allowed.

My problem is that our clients are in at least two domains and the server is
standalone, i.e. no LDAP or whatever connection set up on the operating
system in /etc/netsrv.conf or anything. We are an outsourcing company so we
have our servers & users and the client company users all wanting to access
the data.

I've tried reading the manual pages, but I have to understand much more
about security and protocols than I do to get my foot in the door, so to
speak. The more I try to find out, the more confused I get.  What I have
tried has always prevented any access. Great for security, but useless for
actually operating the business.

It has been parked for quite a while now especially as the failing hardware
also allowed guest connections so I had nothing to compare to. I've now
forgotten what attempts I have made, but now Internal Audit are on my case
to lock it down. Can anyone point me in the right direction? I would prefer
to grant access to an Active Directory group of users if that is possible,
but then it needs to validate the user on more than one domain......um?

My head hurts already.

Full config (slightly sanitised) can be posted if this is useful, but I
didn't want to flood the thread first off.


Robin
Liverpool/Blackburn
UK

Diligenta Limited (No. 5535029) is a subsidiary of Tata Consultancy Services
Limited. Diligenta 2 Limited (No. 4087012) is a subsidiary of Diligenta
Limited.
Both companies are registered in England and have their registered office at
Lynch Wood, Peterborough, PE2 6FY and are authorised and regulated by the
Financial Services Authority.

The information in this e-mail is confidential and may be legally
privileged. It is intended solely for the addressee and access to this
e-mail by anyone else is unauthorised. Although this message and any
attachments are believed to be free of any virus or other defect that might
affect any computer system into which it is received and opened, it is the
responsibility of the recipient to ensure that it is virus free and no
responsibility is accepted by Diligenta Limited or Diligenta 2 Limited for
any loss or damage in any way arising from its use. Any views or opinions
presented are solely those of the author and do not necessarily represent
those of Diligenta Limited or Diligenta 2 Limited. Replies to this e-mail
may be monitored for operational or business reasons.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list