[Samba] allow trusted domains

Victor Sudakov vas at mpeks.tomsk.su
Sun Mar 4 21:30:30 MST 2012


simo wrote:
[dd]

> > > > My question: if BERYLIUM trusts ANOTHERDOMAIN, and
> > > > ANOTHERDOMAIN\WambatW tries to open a connection to my Samba server,
> > > > what user will be looked up in /etc/passwd?
> > > 
> > > It should be:
> > > ANOTHERDOMAIN\WambatW
> > 
> > A Unix user with a slash in the login name? Sorry I doubt that because
> > I have a script in smb.conf:
> > 
> > add user script = /usr/sbin/pw useradd %u -m -Y -M 755
> > 
> > and the script's log shows that those users from trusted domains are
> > being created as "WambatW", not "ANOTHERDOMAIN\WambatW". 
> > 
> > How/where can I see/debug the actual mapping happening?
> 
> When using trusted domains you should run winbindd, relying on add user
> script is basically not supported/tested for trusted domain.

This is very sad news. My add user script creates users in the NIS
database which is made available to several Unix hosts. This is a very
reliable technology: once a user is created, it remains rock solid. I
feel very reluctant for the Unix user ids to depend upon some obscure
IDMAP databases prone to corruption, and the availability of Windows
domain controllers.

Is there a way to map all trusted domain users to the guest account?

So that they have access rights to public shares equal to those of
nonexistent users?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru


More information about the samba mailing list