[Samba] Winbind in Multiple-Forests - Super Admin Domain Model
Volker Lendecke
vl at samba.org
Thu Dec 8 11:25:58 UTC 2016
On Thu, Dec 08, 2016 at 12:19:08PM +0100, Karim Ayari via samba wrote:
> We implement a Multiple-Forests - Super Admin Domain Model based on :
>
> https://technet.microsoft.com/en-us/library/cc546821.aspx
>
> We have 2 forests using W2K12r2 : RSC for resources and ADM for admin user
> accounts.
>
> We join linux server to RSC with ADM credential :
>
> # net ads join -U linuxadm at ADM.LAB
>
> We have a problem when we had to read uidNumber and gidNumber from ADM
> Forest. Winbind try to bind an ldap connection to ADM using his credential
> from RSC : SMB1$@RSC.LAB.
>
> The trust relationship (one-way) don't permit to bind to ADM with a user
> from RSC and return an empty ldap result.
>
> So we can't get a valid unix user with uid, gid, shell, groups...
>
> If we modify the one-way trust to a two-way then we can get user ldap
> properties.
>
> The Windows Architects don't wan't to modify the trust relationship on
> production servers.
>
> Here our smb.conf :
>
> [global]
>
> workgroup = RSC
> realm = RSC.LAB
> security = ads
> netbios name = SMB1
> kerberos method = secrets and keytab
>
> idmap config ADM:backend = ad
> idmap config ADM:range = 10000-20000
> idmap config ADM:schema_mode = rfc2307
>
> idmap config RSC:backend = ad
> idmap config RSC:range = 500-9999
> idmap config RSC:schema_mode = rfc2307
>
>
> idmap backend = tdb
> idmap config:range = 30000-100000
>
> winbind nss info = rfc2307
>
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
>
>
> Is there a way to force winbind to use another account to bind to ADM Ldap ?
Not right now, but this would be a very nice addition to the module.
Volker
More information about the samba
mailing list