[Samba] Winbind in Multiple-Forests - Super Admin Domain Model
vl at samba.org
Thu Dec 8 11:25:58 UTC 2016
On Thu, Dec 08, 2016 at 12:19:08PM +0100, Karim Ayari via samba wrote:
> We implement a Multiple-Forests - Super Admin Domain Model based on :
> We have 2 forests using W2K12r2 : RSC for resources and ADM for admin user
> We join linux server to RSC with ADM credential :
> # net ads join -U linuxadm at ADM.LAB
> We have a problem when we had to read uidNumber and gidNumber from ADM
> Forest. Winbind try to bind an ldap connection to ADM using his credential
> from RSC : SMB1$@RSC.LAB.
> The trust relationship (one-way) don't permit to bind to ADM with a user
> from RSC and return an empty ldap result.
> So we can't get a valid unix user with uid, gid, shell, groups...
> If we modify the one-way trust to a two-way then we can get user ldap
> The Windows Architects don't wan't to modify the trust relationship on
> production servers.
> Here our smb.conf :
> workgroup = RSC
> realm = RSC.LAB
> security = ads
> netbios name = SMB1
> kerberos method = secrets and keytab
> idmap config ADM:backend = ad
> idmap config ADM:range = 10000-20000
> idmap config ADM:schema_mode = rfc2307
> idmap config RSC:backend = ad
> idmap config RSC:range = 500-9999
> idmap config RSC:schema_mode = rfc2307
> idmap backend = tdb
> idmap config:range = 30000-100000
> winbind nss info = rfc2307
> comment = Home Directories
> browseable = no
> writable = yes
> Is there a way to force winbind to use another account to bind to ADM Ldap ?
Not right now, but this would be a very nice addition to the module.
More information about the samba