[Samba] Winbind in Multiple-Forests - Super Admin Domain Model

Karim Ayari karim.ayari at gmail.com
Thu Dec 8 11:19:08 UTC 2016


We implement a Multiple-Forests - Super Admin Domain Model based on :

https://technet.microsoft.com/en-us/library/cc546821.aspx

We have 2 forests using W2K12r2 : RSC for resources and ADM for admin user
accounts.

We join linux server to RSC with ADM credential :

# net ads join -U linuxadm at ADM.LAB

We have a problem when we had to read uidNumber and gidNumber from ADM
Forest. Winbind try to bind an ldap connection to ADM using his credential
from RSC : SMB1$@RSC.LAB.

The trust relationship (one-way) don't permit to bind to ADM with a user
from RSC and return an empty ldap result.

So we can't get a valid unix user with uid, gid, shell, groups...

If we modify the one-way trust to a two-way then we can get user ldap
properties.

The Windows Architects don't wan't to modify the trust relationship on
production servers.

Here our smb.conf :

[global]

   workgroup = RSC
   realm = RSC.LAB
   security = ads
   netbios name = SMB1
   kerberos method = secrets and keytab

  idmap config ADM:backend = ad
idmap config ADM:range   = 10000-20000
        idmap config ADM:schema_mode = rfc2307

  idmap config RSC:backend = ad
  idmap config RSC:range   = 500-9999
  idmap config RSC:schema_mode = rfc2307


   idmap backend = tdb
   idmap config:range = 30000-100000

  winbind nss info = rfc2307

[homes]
        comment = Home Directories
        browseable = no
        writable = yes


Is there a way to force winbind to use another account to bind to ADM Ldap ?

Thanks.


More information about the samba mailing list