[Samba] Winbind in Multiple-Forests - Super Admin Domain Model

Karim Ayari karim.ayari at gmail.com
Thu Dec 8 13:46:56 UTC 2016 

Thank you Volker,


I try to use hash and rid as an alternative to ad backend. The best I can
get is the SID user from ADM, but I can't get he's groups.


If it is feasible, could you point me to a solution ? or simply should I
switch to another solution ?

2016-12-08 12:25 GMT+01:00 Volker Lendecke <vl at samba.org>:

> On Thu, Dec 08, 2016 at 12:19:08PM +0100, Karim Ayari via samba wrote:
> > We implement a Multiple-Forests - Super Admin Domain Model based on :
> >
> > https://technet.microsoft.com/en-us/library/cc546821.aspx
> >
> > We have 2 forests using W2K12r2 : RSC for resources and ADM for admin
> user
> > accounts.
> >
> > We join linux server to RSC with ADM credential :
> >
> > # net ads join -U linuxadm at ADM.LAB
> >
> > We have a problem when we had to read uidNumber and gidNumber from ADM
> > Forest. Winbind try to bind an ldap connection to ADM using his
> credential
> > from RSC : SMB1$@RSC.LAB.
> >
> > The trust relationship (one-way) don't permit to bind to ADM with a user
> > from RSC and return an empty ldap result.
> >
> > So we can't get a valid unix user with uid, gid, shell, groups...
> >
> > If we modify the one-way trust to a two-way then we can get user ldap
> > properties.
> >
> > The Windows Architects don't wan't to modify the trust relationship on
> > production servers.
> >
> > Here our smb.conf :
> >
> > [global]
> >
> >    workgroup = RSC
> >    realm = RSC.LAB
> >    security = ads
> >    netbios name = SMB1
> >    kerberos method = secrets and keytab
> >
> >   idmap config ADM:backend = ad
> > idmap config ADM:range   = 10000-20000
> >         idmap config ADM:schema_mode = rfc2307
> >
> >   idmap config RSC:backend = ad
> >   idmap config RSC:range   = 500-9999
> >   idmap config RSC:schema_mode = rfc2307
> >
> >
> >    idmap backend = tdb
> >    idmap config:range = 30000-100000
> >
> >   winbind nss info = rfc2307
> >
> > [homes]
> >         comment = Home Directories
> >         browseable = no
> >         writable = yes
> >
> >
> > Is there a way to force winbind to use another account to bind to ADM
> Ldap ?
>
> Not right now, but this would be a very nice addition to the module.
>
> Volker
>

More information about the samba mailing list