[Samba] Need help

mathias dufresne infractory at gmail.com
Mon May 2 10:13:26 UTC 2016


Hi Jeremy,

A short reply, I did not played with trust relationship since 4.4.0 left
the RC status...

I thought that Samba was not yet supporting groups with
trusted-domain-objects in it.
In others words I thought Samba can have DOM-A\group filled with DOM-A
objects.

Now if I remind correctly a domain member of DOM-B would "see" all users,
those from DOM-B but also those from DOM-A. Should be the same for groups.

So DOM-B/member-server should see DOM-A/sysadmins.

So you should be to apply rights using DOM-A/sysadmins rather than using
DOM-B/trusted_sysadmins.

Hoping the fact it's time for lunch didn't turned my mind into gelly,
hoping that was helpful...

Cheers,

mathias

2016-04-29 17:09 GMT+02:00 Collins, Jeremy <jeremy.collins at cgi.com>:

> Good morning.
>
> I need help getting Samba to work the way I would like it to work.
>
> Situation:
> I have two AD domains (2012R2), DOM-A and DOM-B.  I have elected to not
> use any SFU or RFC2307 extensions as MS has depreciated those features.
>
> DOM-A has a group, "sysadmins", which has users in it.
> DOM-B trusts DOM-A.  DOM-B also has a group "trusted_sysadmins", the
> member of which is DOM-A\\sysadmins.
>
> My host is to be a member of DOM-B.  I can join it to the domain just
> fine, and authentication works for both DOM-A and DOM-B accounts.  However
> winbind is not producing any group information for DOM-A accounts other
> than "DOM-A\\Domain Users".  I do need the host to see DOM-A memberships as
> I intend to use sshd AllowGroups to restrict who can log into the host.  If
> the host could see that users were (or were not) members of
> DOM-B\\trusted_sysadmins that would also work; basically if "id" can tell
> the userid is a member of either group, I can shove it in sshd_config
> AllowGroups and get the effect I want.
>
> Larger picture:
> This is all going into kickstart, with the goal that a newly kickstarted
> host will be automatically joined to DOM-B, and the sysadmin team in DOM-A
> will be the only group allowed to login (initially).
>
> My current target is RHEL7, although this will also be applied to new
> RHEL5 and RHEL6, as well as existing populations of RHEL5 and RHEL6.  Samba
> major versions will be 3 and 4.  Minor and patch versions will vary for
> many reasons.
>
> I've been googling furiously for some time now.  I've found numerous
> threads here and there that seem to describe a similar situation, but the
> threads always end without an answer.
>
> Current smb.conf globals:
> ==================================
> log file = /var/log/samba/%m.log
> log level = 10
> max log size = 0
> workgroup = DOM-B
> #password server = dombdc01.domb.dom
> realm = DOMB.DOM
> security = ads
> template shell = /bin/bash
> template homedir = /home/%U
> kerberos method = secrets and keytab
> client signing = yes
> client use spnego = yes
> winbind use default domain = false
> winbind offline logon = false
> winbind separator = +
> winbind cache time = 15
> winbind expand groups = 1
> idmap config * : range = 100000-9999999
> idmap config * : rangesize = 1000000
> idmap config * : backend = autorid
> ==================================
>
> Thanks in advance for any advice,
> Jeremy Collins
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list