Re: [Samba] Domain trust between a Samba PDC domain and W2K ADdomain
SNIP Hi people. I'm working on a trust relation between Samba 3.3.X and Windows 2003 AD mixed mode. I have read the doc about this but for some reason wont work, my PDC+LDAP is working but I still cannot make this 2 servers share users. In my experience, it is fairly straightforward to get AD users trusted by the Samba controlled Domain, although granualar file permissions are tricky at best. In the opposite direction, this is quite difficult, unless the AD domain is in the very old now, mixed mode. Could u please give me the process u use to create the relation between win2k3(in/out) and samba? I will appreciated, thanks!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain trust between a Samba PDC domain and W2K ADdomain
I have a samba domain (Samba 3.4.x PDC) and a Windows 2003 (in 2003 native mode) domain. Trusts MOSTLY work- having Samba recognize AD users is a little trickier. For samba to trust windows, make sure you have idmap info defined in smb.conf. I have an ldap backend- it may not be quite correct. #IDMAP DEFAULT ALLOC idmap alloc backend = ldap idmap alloc config:ldap_url = ldap://ldap1.mydomain.com idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com idmap alloc config:ldap_user_dn = cn= idmap alloc config:range = 3 - 7 idmap config WINDOMAIN:backend = ldap idmap config WINDOMAIN:readonly = no idmap config WINDOMAIN:default=no idmap config WINDOMAIN:ldap_base_dn = ou=windomain,ou=idmap,o=mydomain.com idmap config WINDOMAIN:ldap_user_dn = cn= idmap config WINDOMAIN:ldap_url = ldap://ldap1.mydomain.com idmap config WINDOMAIN:range = 3-3 I would also make sure that both the samba and windows DC use the same WINS server. You may want to have them use the same DNS server- or at least make sure that the DNS server each is using supports the AD DNS stuff from the windows domain. On the samba PDC, I also added an entry in krb5.conf for the trusted domain. Not sure if that really mattered.Samba logs indicated it was looking for the kdc for the administration domain. On 01/05/2011 04:52 PM, t...@tms3.com wrote: SNIP Hi people. I'm working on a trust relation between Samba 3.3.X and Windows 2003 AD mixed mode. I have read the doc about this but for some reason wont work, my PDC+LDAP is working but I still cannot make this 2 servers share users. In my experience, it is fairly straightforward to get AD users trusted by the Samba controlled Domain, although granualar file permissions are tricky at best. In the opposite direction, this is quite difficult, unless the AD domain is in the very old now, mixed mode. Could u please give me the process u use to create the relation between win2k3(in/out) and samba? I will appreciated, thanks!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain trust between a Samba PDC domain and W2K ADdomain
PS most of the procedure for setting up trusts is in the docs on the samba.org site.The idmap stuff is tricky since the mechanics seem to change with each samba version. Once you have set up trusts, you want to make sure that the samba machine sees the AD users and groups with wbinfo -u and wbinfo -g. (usually pretty easy to get to this part.) Then you want to update nsswitch.conf to make sure getent passwd and getent group also shows the AD users. (this relies on the idmap stuff working.) Original Message Subject: Re: [Samba] Domain trust between a Samba PDC domain and W2K ADdomain Date: Wed, 05 Jan 2011 17:53:48 -0500 From: Gaiseric Vandal gaiseric.van...@gmail.com Reply-To: gaiseric.van...@gmail.com To: samba@lists.samba.org I have a samba domain (Samba 3.4.x PDC) and a Windows 2003 (in 2003 native mode) domain. Trusts MOSTLY work- having Samba recognize AD users is a little trickier. For samba to trust windows, make sure you have idmap info defined in smb.conf. I have an ldap backend- it may not be quite correct. #IDMAP DEFAULT ALLOC idmap alloc backend = ldap idmap alloc config:ldap_url = ldap://ldap1.mydomain.com idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com idmap alloc config:ldap_user_dn = cn= idmap alloc config:range = 3 - 7 idmap config WINDOMAIN:backend = ldap idmap config WINDOMAIN:readonly = no idmap config WINDOMAIN:default=no idmap config WINDOMAIN:ldap_base_dn = ou=windomain,ou=idmap,o=mydomain.com idmap config WINDOMAIN:ldap_user_dn = cn= idmap config WINDOMAIN:ldap_url = ldap://ldap1.mydomain.com idmap config WINDOMAIN:range = 3-3 I would also make sure that both the samba and windows DC use the same WINS server. You may want to have them use the same DNS server- or at least make sure that the DNS server each is using supports the AD DNS stuff from the windows domain. On the samba PDC, I also added an entry in krb5.conf for the trusted domain. Not sure if that really mattered.Samba logs indicated it was looking for the kdc for the administration domain. On 01/05/2011 04:52 PM, t...@tms3.com wrote: SNIP Hi people. I'm working on a trust relation between Samba 3.3.X and Windows 2003 AD mixed mode. I have read the doc about this but for some reason wont work, my PDC+LDAP is working but I still cannot make this 2 servers share users. In my experience, it is fairly straightforward to get AD users trusted by the Samba controlled Domain, although granualar file permissions are tricky at best. In the opposite direction, this is quite difficult, unless the AD domain is in the very old now, mixed mode. Could u please give me the process u use to create the relation between win2k3(in/out) and samba? I will appreciated, thanks!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba