[Samba] How to restrict winbindd to access trusted domains objects. - Samba

This is a discussion on [Samba] How to restrict winbindd to access trusted domains objects. - Samba ; Greetings. I've already done with question at http://lists-archives.org/samba/3755...usernames.html and made decision, that winbindd tries to get users and groups in trusted domains. We have tree different domains in their forests, connected by trusted relationships: CITY-XXI.INT DEP2.CITY-XXI.INT DEP2.CITY-XXI.INT ALL.INT CITY-XXI.INT ALL.INT ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: [Samba] How to restrict winbindd to access trusted domains objects.

  1. [Samba] How to restrict winbindd to access trusted domains objects.

    Greetings.

    I've already done with question at
    http://lists-archives.org/samba/3755...usernames.html

    and made decision, that winbindd tries to get users and groups in trusted
    domains.
    We have tree different domains in their forests, connected by trusted
    relationships:

    CITY-XXI.INT < - > DEP2.CITY-XXI.INT
    DEP2.CITY-XXI.INT < - > ALL.INT
    CITY-XXI.INT < - > ALL.INT

    In my smb.conf I use
    allow trusted domains = No
    key to restrict samba reading foreign domain objects, but

    wbinfo -u returns list of users from my domain(DEP2.CITY-XXI.INT) and
    another domain (CITY-XXI)
    wbinfo -g does the same

    and finaly wbinfo -r hangs up retreiving groups for given user, trying to
    reach and read objects in ALL.INT and CITY-XXI.INT domains.

    What configuration should I provide to samba to limit it in it's own domain
    (ONLY DEP2) and prohibit any tries to resolve foreign (even trusted) DC's
    etc...

    My current samba ver: 3.0.23c_2,1 (port-build)
    My OS ver: FreeBSD 6.2-REL
    My current smb.conf:
    Load smb config files from /usr/local/etc/smb.conf
    Loaded services file OK.
    'winbind separator = +' might cause problems with group membership.
    Server role: ROLE_DOMAIN_MEMBER
    [global]
    workgroup = DEP2
    realm = DEP2.CITY-XXI.INT
    server string = SZRouter.DEP2.CITY-XXI.INT
    interfaces = 10.1.9.0/24
    security = ADS
    auth methods = winbind
    allow trusted domains = No
    password server = City2.dep2.city-xxi.int
    client NTLMv2 auth = Yes
    client lanman auth = No
    client plaintext auth = No
    log file = /var/log/samba/log.%m
    socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
    os level = 0
    preferred master = No
    local master = No
    domain master = No
    dns proxy = No
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind separator = +
    winbind cache time = 10
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    hosts allow = 10.1.9., 127.

    Thank you!

    Dzmitry Stremkouski.
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] How to restrict winbindd to access trusted domains objects.

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Dmitry wrote:

    | What configuration should I provide to samba to limit
    | it in it's own domain (ONLY DEP2) and prohibit any
    | tries to resolve foreign (even trusted) DC's
    | etc...
    |
    | My current samba ver: 3.0.23c_2,1 (port-build)
    | My OS ver: FreeBSD 6.2-REL
    | My current smb.conf:
    | Load smb config files from /usr/local/etc/smb.conf
    | Loaded services file OK.
    | 'winbind separator = +' might cause problems with group membership.
    | Server role: ROLE_DOMAIN_MEMBER
    | [global]
    | workgroup = DEP2
    | realm = DEP2.CITY-XXI.INT
    | server string = SZRouter.DEP2.CITY-XXI.INT
    | interfaces = 10.1.9.0/24
    | security = ADS
    | auth methods = winbind
    ~ ^^^^^^^^^^^^^^^^^^^^^^
    don't ever set this.

    | allow trusted domains = No
    ~ ^^^^^^^^^^^^^^^^^^^^^^^^^^

    This should be enough but I do remember a bug
    regarding that parameter. Would you mind giving
    3.0.29 a try and see if my memory id correct and
    the bug has been fixed.





    cheers, jerry
    - --
    ================================================== ===================
    Samba ------- http://www.samba.org
    Likewise Software --------- http://www.likewisesoftware.com
    "What man is a man who does not make the world better?" --Balian
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2.2 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFIPARrIR7qMdg1EfYRAudWAKDJequJ5XHYHTWGreoWTH/XoOLTcACg19EF
    RvH763H9RLnK/JpA3a0WZw8=
    =yDuw
    -----END PGP SIGNATURE-----

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread