Remote Citrix Auth Pass-Through ...
Andrew Bartlett
abartlet at samba.org
Sat Jan 10 08:13:36 GMT 2004
On Sat, Jan 10, 2004 at 09:30:48AM +0200, C.Lee Taylor wrote:
> Greetings ...
>
> I am posting here, because I believe this a little more technical than
> "I can't get my server work?" ...
This is still not the place. Samba technical is not technical
support, it's technical development of Samba.
> A little background ...
>
> We have been force by our head office to use AD and Citrix, not a bad
> combo, but I like my Linux Servers and don't wish to loose them, so I
> have been working toward's and means to keep them and get our company
> what they want ...
>
> We have 2xWin2K3 ADS DC server, and expect to have more than one Citrix
> server. My remote clients should be running Win9X or Win2K Clients off
> an Linux File/Print/Mail server, which I have upgraded to FC1 and self
> compiled Samba 3.0.2pre1 ( still test system ) ...
>
> Now my two problems, which one of the developers did give me a general
> idea of what to do, but it did not work (sorry, I can't remember who it
> was ) ...
>
> My remote clients, I would like to log into Samba as if it was a PDC,
> so that I can run logging scripts and join them the domain ... Currently
> I am using Samba with LDAP and this works fine, but introducing ADS and
> Citrix now has broken then very nice setup ... I don't wish to lose
> flexibility or functionality by introducing winbind, which is what has
> happened with my tests.
If you wan tto use the central accounts and passwords, you will need
to use winbind.
> If I use winbind, I can't setup a PDC. It was explained to create a
> trust between my Samba domain and ADS domain, and this way I should be
> able to pass auth through the trust and as I have thought this through,
> I believe all my users will belong in ADS domain and all the Machine
> accounts would belong in Samba domain, but I can't get the trust working
> ... I think this is because of the fact the our ADS is in native mode,
> and the HowTo only converts Mixed mode, and warns against using/trying
> in Native Mode ( somebody's got to try it some time ) ...
Now this is interesting. We have the code to handle this, but we
don't use it. The RPC backends *should* allow you to handle this, but
it is suboptimal.
> So, I was hoping that somebody might be able to help me, or if I am
> missing info ( which I can't think of what to put in here without
> flooding the list with information that is not needed ) what would be
> best to forward ...
Start by setting an 'IPC username', with wbinfo --set-auth-user=...
> I don't have much control over the ADS system, some very basic stuff,
> but I will not be able to convince the powers that be to switch it to
> Mixed Mode ...
>
> Please can any body with some insight, give me a hand ( and a nice cool
> slap in the face is not what I am looking for ... given myself enough of
> them ... )
I have a long-term goal of removing the need for a 'security=ADS'
parameter, moving to more autodetection. This should help this kind
of thing a lot, as we can pick up what domains todo what with more
easily.
Andrew Bartlett
More information about the samba-technical
mailing list