Re ssh - I should try that.
Windows 2003 Native mode- you can't have NT4 BDC's in the domain.
Trusts with NT4 domains are OK (at least should be.) Samba (as a
PDC) emulates an NT4 domain but still seems to use kerberos for locating
DC's (which would make sense if you want it to be an active directory
domain member.)
I also have trusts set up with my samba domain and a Windows 2008 domain
(in Win 2003 mode)- but I haven't tested that much to see if it is
something specific to samba or some weird issue with the windows 2003
domain.
FYI- since I went to samba 3.4 from 3.03 idmap does NOT automatically
create entries in LDAP. I had to manually create them in ldap. I had
the entries that samba 3.0.x would create as a template so, for a small
number of users and groups not have big a challenge. (alternately could
use "wbinfo --allocate-gid" and "wbinfo --allocate-uid.")
On 10/21/2010 05:15 PM, Bruce Richardson wrote:
On Thu, Oct 21, 2010 at 05:02:55PM -0400, Gaiseric Vandal wrote:
I have not tried ssh'ing in as a trusted domain user (I definately
don't want that available..)
It's not something I want to make available, but it was an important
test to prove that winbind was creating the correct idmap entries and
that this was making functional POSIX accounts available to the Linux
host. What I don't understand is why Samba isn't mapping the trusted
domain users onto those accounts.
Do you have an entry in krb5.conf for the trusted domain? I think
that is more of an issue for locating the DC.
I do.
At some point I changed the forest and domain modes on the Windows
2003 DC from mixed to native. That may have broken something
I'm surprised anything is working for you. I didn't think trust
relationships between Samba or NT4 and AD would work at all if AD was in
native mode.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
