[Samba] Re: Remote Citrix Auth Pass-Through ...
Greetings ... Thanks again for your responce ... it currently feels like I am banding my head against a M$ Wall ... Now if we use winbind, we can't setup the Linux servers as PDC. This is incorrect. Winbind runs perfectly fine against Samba 3.0. No, what I mean, if you enable domain logons = yes, getent passwd does not return any users from the AD system, which means I can't have a remote Samba Server acting as PDC to host the netlogon service ... That is a limitation of winbind, and with out the Samba servers running as PDC's I can't get the local workstations as the remote sites to process login scripts. Logon scripts for their own domain, or logon scripts for trusted domains? For the domain that is locale to the user ... Which would be a Samba server at a remote site ... I could give up on the idea of remote sites local workstations automaticly processing login scripts, because that is the only real thing I am looking for. I could manually add login scripts to all the workstations, or I could work out something with trusts. I have been trying setuping up a trust both ways between AD and Samba, but TS will not let any of my users login from Samba. How about you sort out your terminal-services issues first. I think you might be being bitten by generic Samba/TS interactions, and are just making your life more difficult by looking for the most complex solution. I am not sure that is the problem, for a test, I have been able to Join a Win2K3 TS system to my lovely Samba domain and everything works fine. No problem there. In a Samba domain, win2k TS clients need Samba 3.0.1 to store the right extra information. But it sounds like you don't want to run a Samba PDC, except for the fact that it would allow you to serve up a logon script. Can't AD do that as well, if not better? My real problem is a few $h!ty application which I have no control over. iScala, a finance system which uses M$SQL2K, tied very closley into AD. And then Citrix or maybe TS ... I am currently tring to create a trust between Samba and AD domain so that users in my Samba domain have access to AD resources, which currently means access to iScala. But I am still going to have to fine a way to get my remote Samba users to access Citrix via Pass-Through-Auth, but from what have seen, I might not have may options left. Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Remote Citrix Auth Pass-Through ...
On Fri, 2004-01-23 at 04:16, C.Lee Taylor wrote: But my problems is that I would like to use the users in ADS, which with this setup, I have to setup Linux users which would then be trusted by ADS, but then I will loose all the deligation features that ADS brings MicroSoft guys, which is why we are putting this in. I'm not sure what you mean here. Is there no way that I could have my users in ADS, with remote Linux server supporting netlogon scripts for these users? This what I am really looking for ... This is probably not possible. I think the logon scripts are always served up by the ADS domain anyway... -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Remote Citrix Auth Pass-Through ...
Greetings ... Thanks for you reply Andrew, I think I will try and explain again what I am trying to do, maybe I am just going at this the wrong way ... I'm not sure what you mean here. We have two applications which will be distributed by Citrix. I would like to have one username and password for all the services ... Single-Sign-On. Windows2003 has been chosen for our AD. We have a few remote sites with Linux file/print servers. Now if we use winbind, we can't setup the Linux servers as PDC. That is a limitation of winbind, and with out the Samba servers running as PDC's I can't get the local workstations as the remote sites to process login scripts. I could give up on the idea of remote sites local workstations automaticly processing login scripts, because that is the only real thing I am looking for. I could manually add login scripts to all the workstations, or I could work out something with trusts. I have been trying setuping up a trust both ways between AD and Samba, but TS will not let any of my users login from Samba. Throwing in my coin to the wishing well, I wish that Samba could do the domain stuff with AD, but I think that is still a little way off ... Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Remote Citrix Auth Pass-Through ...
On Sun, 2004-01-25 at 00:44, C.Lee Taylor wrote: Greetings ... Thanks for you reply Andrew, I think I will try and explain again what I am trying to do, maybe I am just going at this the wrong way ... I'm not sure what you mean here. We have two applications which will be distributed by Citrix. I would like to have one username and password for all the services ... Single-Sign-On. Windows2003 has been chosen for our AD. We have a few remote sites with Linux file/print servers. Now if we use winbind, we can't setup the Linux servers as PDC. This is incorrect. Winbind runs perfectly fine against Samba 3.0. That is a limitation of winbind, and with out the Samba servers running as PDC's I can't get the local workstations as the remote sites to process login scripts. Logon scripts for their own domain, or logon scripts for trusted domains? I could give up on the idea of remote sites local workstations automaticly processing login scripts, because that is the only real thing I am looking for. I could manually add login scripts to all the workstations, or I could work out something with trusts. I have been trying setuping up a trust both ways between AD and Samba, but TS will not let any of my users login from Samba. How about you sort out your terminal-services issues first. I think you might be being bitten by generic Samba/TS interactions, and are just making your life more difficult by looking for the most complex solution. In a Samba domain, win2k TS clients need Samba 3.0.1 to store the right extra information. But it sounds like you don't want to run a Samba PDC, except for the fact that it would allow you to serve up a logon script. Can't AD do that as well, if not better? Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Remote Citrix Auth Pass-Through ...
Greetings ... Andrew Bartlett wrote: I am posting here, because I believe this a little more technical than I can't get my server work? ... This is still not the place. Samba technical is not technical support, it's technical development of Samba. Okay, sorry ... done ... Sorry for the long delay, but have had other project to try and bring up to scratch ... If I use winbind, I can't setup a PDC. It was explained to create a trust between my Samba domain and ADS domain, and this way I should be able to pass auth through the trust and as I have thought this through, I believe all my users will belong in ADS domain and all the Machine accounts would belong in Samba domain, but I can't get the trust working ... I think this is because of the fact the our ADS is in native mode, and the HowTo only converts Mixed mode, and warns against using/trying in Native Mode ( somebody's got to try it some time ) ... Now this is interesting. We have the code to handle this, but we don't use it. The RPC backends *should* allow you to handle this, but it is suboptimal. Okay, following chapter 16 I do ... On Win2K3 DC I run the create Trust procdure ( which I should maybe put a little step by step down on paper ) ... I found if I had smb running when I ran this I would get all sorts of netlogon secure channel not working errors ... but if I had start smb long enough for WINS to have it listed, then stop smb, it would go through without ask too many questions ... I would then run ... useradd domain-ads smbpasswd -a -i domain-ads net rpc trustdom establish domain-ads All succesful ... I then found that I would trust both ways ... works nice from what I can see ... But my problems is that I would like to use the users in ADS, which with this setup, I have to setup Linux users which would then be trusted by ADS, but then I will loose all the deligation features that ADS brings MicroSoft guys, which is why we are putting this in. Is there no way that I could have my users in ADS, with remote Linux server supporting netlogon scripts for these users? This what I am really looking for ... So, I was hoping that somebody might be able to help me, or if I am missing info ( which I can't think of what to put in here without flooding the list with information that is not needed ) what would be best to forward ... Start by setting an 'IPC username', with wbinfo --set-auth-user=... Which user should I use? After the trush working, I was able to work both ways for general stuff .. I have a long-term goal of removing the need for a 'security=ADS' parameter, moving to more autodetection. This should help this kind of thing a lot, as we can pick up what domains todo what with more easily. I have seen you want to do this in past post ... more autodetection is kewl if there is no loss of flexiblity or control from a good admin ... Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
