[Samba] Trustdom setup and trusted group management - Samba

This is a discussion on [Samba] Trustdom setup and trusted group management - Samba ; Hello, I did join 2 sites using an IPSEC tunnel, and made one domain trust the other (2 small Samba DC based domains with about 10 users in each) I first had resolving issues until I decided to keep only ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: [Samba] Trustdom setup and trusted group management

  1. [Samba] Trustdom setup and trusted group management

    Hello,

    I did join 2 sites using an IPSEC tunnel, and made one domain trust the
    other (2 small Samba DC based domains with about 10 users in each)

    I first had resolving issues until I decided to keep only one WINS server
    for both networks (though this is still an issue to me because if for any
    reason the tunnel is broken, I have no longer WINS on one side).

    Finally here is my setup :

    Network A 1.1.0.0/16 with Samba DC ServA for domain DomA at ip 1.1.254.254
    (which also act as IPSEC gateway and firewall).
    Network B 2.1.0.0/16 with Samba DC ServB for domain DomB at ip 2.1.254.254
    (which also act as IPSEC gateway and firewall).

    Browsing is Ok (I think) :

    preferred master = Yes
    local master = Yes
    domain master = Yes
    browse list = Yes
    enhanced browsing = Yes
    remote announce = 1.1.254.254 (2.1.254.254 for ServA)
    remote browse sync = 1.1.254.254 (2.1.254.254 for ServA)

    ServB is the WINS for both networks.

    name resolve order = wins host lmhosts bcast
    wins proxy = Yes
    wins support = Yes

    All nodes on both networks configured as peer to peer (0x3).
    All nodes can access any other whatever the network.

    >From here, I setup the trustdom : DomA is the trusted domain and DomB the

    trusting one.

    the net rpc trustdom establish DomA ran on ServB returned
    Unable to join ServA
    Successfully joined DomA

    >From here, I setup winbindd on ServB to be able to play with DomA users.


    idmap domains = DomA
    idmap alloc backend = tdb
    template homedir = /home/home/%D/%U
    template shell = /bin/false
    winbind separator = \
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = No
    winbind trusted domains only = No
    winbind nested groups = Yes
    winbind nss info = template
    winbind:rpc only = yes
    idmap config DomA:range = 4000-4999
    idmap config DomA:default = Yes
    idmap config DomA:backend = tdb
    idmap alloc config:range = 3000-3999

    And here, I have a strange failure : wbinfo -t returns either "checking
    the trust secret via RPC calls failed
    error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
    Could not check secret"
    However nmblookup -R -U 2.1.254.254 DomA#1b gives me 1.1.254.254 DomA#1b,
    and I can successfully lookup DomA users and groups using both wbinfo -u/g
    and getent passwd/group
    But, the ids allocated are not in the range given by idmap config
    DomA:range = 4000-4999 bu the range in idmap alloc config:range =
    3000-3999

    This is the first thing I trying to fix.

    The other thing now, is how to grant DomA users rights to access and
    modify the files/shares/printers from DomB as DomB was so far only managed
    using domain groups that were mapped from unix groups.

    Anybody can help

    --
    François Legal


    Message scanned by ClamAV engine (http://www.clamav.net)
    --------------------------------------------------------
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  2. Re: [Samba] Trustdom setup and trusted group management

    Yeah, I'm baffled by the relationship between domain trusts and WINS.
    There's some sort of weird dependency there that I can't figure out.
    lmhosts doesn't seem to help much either.

    If you have WAN-linked domains with multiple segments (like most
    medium-to-large businesses) you want to have a WINS server per LAN so
    that your local networks don't fail every time the phone company
    fubars your WAN link. This is intuitively obvious, but it contradicts
    the documentation a little (because the "one WINS server per network"
    should actually say "one WINS server per LAN" or possibly "one WINS
    server per domain").

    Interdomain trusts haven't worked right for me since smbpasswd went
    away. There's a sambaTrustPassword attribute in the LDAP schema file
    distributed by the samba team, but no indications of how to use it,
    and the "net" toolset doesn't seem to create or modify it.

    Sorry this post is no help. If you figure out what exactly the
    relationship is between WINS and domain trusts, please post your
    findings!

    Thanks,
    --Charlie


    On Thu, May 29, 2008 at 8:59 AM, wrote:
    > Hello,
    >
    > I did join 2 sites using an IPSEC tunnel, and made one domain trust the
    > other (2 small Samba DC based domains with about 10 users in each)
    >
    > I first had resolving issues until I decided to keep only one WINS server
    > for both networks (though this is still an issue to me because if for any
    > reason the tunnel is broken, I have no longer WINS on one side).
    >
    > Finally here is my setup :
    >
    > Network A 1.1.0.0/16 with Samba DC ServA for domain DomA at ip 1.1.254.254
    > (which also act as IPSEC gateway and firewall).
    > Network B 2.1.0.0/16 with Samba DC ServB for domain DomB at ip 2.1.254.254
    > (which also act as IPSEC gateway and firewall).
    >
    > Browsing is Ok (I think) :
    >
    > preferred master = Yes
    > local master = Yes
    > domain master = Yes
    > browse list = Yes
    > enhanced browsing = Yes
    > remote announce = 1.1.254.254 (2.1.254.254 for ServA)
    > remote browse sync = 1.1.254.254 (2.1.254.254 for ServA)
    >
    > ServB is the WINS for both networks.
    >
    > name resolve order = wins host lmhosts bcast
    > wins proxy = Yes
    > wins support = Yes
    >
    > All nodes on both networks configured as peer to peer (0x3).
    > All nodes can access any other whatever the network.
    >
    > >From here, I setup the trustdom : DomA is the trusted domain and DomB the

    > trusting one.
    >
    > the net rpc trustdom establish DomA ran on ServB returned
    > Unable to join ServA
    > Successfully joined DomA
    >
    > >From here, I setup winbindd on ServB to be able to play with DomA users.

    >
    > idmap domains = DomA
    > idmap alloc backend = tdb
    > template homedir = /home/home/%D/%U
    > template shell = /bin/false
    > winbind separator = \
    > winbind enum users = Yes
    > winbind enum groups = Yes
    > winbind use default domain = No
    > winbind trusted domains only = No
    > winbind nested groups = Yes
    > winbind nss info = template
    > winbind:rpc only = yes
    > idmap config DomA:range = 4000-4999
    > idmap config DomA:default = Yes
    > idmap config DomA:backend = tdb
    > idmap alloc config:range = 3000-3999
    >
    > And here, I have a strange failure : wbinfo -t returns either "checking
    > the trust secret via RPC calls failed
    > error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
    > Could not check secret"
    > However nmblookup -R -U 2.1.254.254 DomA#1b gives me 1.1.254.254 DomA#1b,
    > and I can successfully lookup DomA users and groups using both wbinfo -u/g
    > and getent passwd/group
    > But, the ids allocated are not in the range given by idmap config
    > DomA:range = 4000-4999 bu the range in idmap alloc config:range =
    > 3000-3999
    >
    > This is the first thing I trying to fix.
    >
    > The other thing now, is how to grant DomA users rights to access and
    > modify the files/shares/printers from DomB as DomB was so far only managed
    > using domain groups that were mapped from unix groups.
    >
    > Anybody can help
    >
    > --
    > François Legal
    >
    >
    > Message scanned by ClamAV engine (http://www.clamav.net)
    > --------------------------------------------------------
    > --
    > To unsubscribe from this list go to the following URL and read the
    > instructions: https://lists.samba.org/mailman/listinfo/samba
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


+ Reply to Thread