[Samba] Winbind in Multiple-Forests - Super Admin Domain Model
Karim Ayari
karim.ayari at gmail.com
Thu Dec 8 11:19:08 UTC 2016
We implement a Multiple-Forests - Super Admin Domain Model based on :
https://technet.microsoft.com/en-us/library/cc546821.aspx
We have 2 forests using W2K12r2 : RSC for resources and ADM for admin user
accounts.
We join linux server to RSC with ADM credential :
# net ads join -U linuxadm at ADM.LAB
We have a problem when we had to read uidNumber and gidNumber from ADM
Forest. Winbind try to bind an ldap connection to ADM using his credential
from RSC : SMB1$@RSC.LAB.
The trust relationship (one-way) don't permit to bind to ADM with a user
from RSC and return an empty ldap result.
So we can't get a valid unix user with uid, gid, shell, groups...
If we modify the one-way trust to a two-way then we can get user ldap
properties.
The Windows Architects don't wan't to modify the trust relationship on
production servers.
Here our smb.conf :
[global]
workgroup = RSC
realm = RSC.LAB
security = ads
netbios name = SMB1
kerberos method = secrets and keytab
idmap config ADM:backend = ad
idmap config ADM:range = 10000-20000
idmap config ADM:schema_mode = rfc2307
idmap config RSC:backend = ad
idmap config RSC:range = 500-9999
idmap config RSC:schema_mode = rfc2307
idmap backend = tdb
idmap config:range = 30000-100000
winbind nss info = rfc2307
[homes]
comment = Home Directories
browseable = no
writable = yes
Is there a way to force winbind to use another account to bind to ADM Ldap ?
Thanks.
More information about the samba
mailing list