[Samba] Question regarding default user domain in samba

Andrew Bartlett abartlet at samba.org
Sun Feb 26 18:48:49 MST 2012


On Wed, 2012-02-22 at 12:40 -0600, Daniel Patrick Sullivan wrote:
> Hi, Everybody,
> 
> I sent an email to this list with a couple of questions in it earlier
> this week; this is kind of a 'repeat' question, so I apologize if
> you've read this one already; I wanted to flesh out the details of my
> inquisition a tad bit more in hopes that somebody could potentially
> chime in with an answer as I am afraid that I either a) didn't
> articulate my question in enough detail or b)  didn't ask nicely
> enough the first time :-)
> 
> Ok, so here's my problem; I am working in an environment with an
> Active Directory forest where 100% of our user accounts exist one
> domain and 100% of our computer objects exist in another domain.  I
> have winbind setup with pam & ssh, and everything is working fine.  I
> can authenticate across the trust no problem.  My issue is that whever
> I authenticate, I have to supply the domain name and whatever domain
> separator is configured in smb.conf to get this working.  I know about
> the "use default domain" option in smb.conf, but from what I
> understand this will only "prepend" the default realm, or the domain
> that the computer is actually a domain member of.  So really, I want
> to:
> 
> 1) set the 'use default domain' option (or implement similar functionality) AND
> 2) specify the actual domain that is used (i.e. a domain that is
> trusted, although NOT the domain that the server is actually a member
> of).
> 
> Does anybody know if this is possible?  

No, it is not.  While I originally created 'winbind use default domain',
and I've seen it used exactly how I intended in the multi-protocol NAS
that I now work on, I also understand that others find that is has
caused us challenges in our internal implementation, in particular due
to the ambiguity it creates between local system users and winbind
users. 

Therefore, I suspect it will not be extended.  

On the other hand, the views of my colleagues may have changed, and a
clean patch implementing this might help show why this is worth-while. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org



More information about the samba mailing list