Re: [Samba] allow trusted domains
On Sun, 2012-03-11 at 09:26 +0700, Victor Sudakov wrote: Andrew Bartlett wrote: Is there a way to map all trusted domain users to the guest account? As if they were nonexistent users or users from untrusted domains. If I could maintain a list of domains for the samba server to trust, it would be fine too. Try 'map to guest = bad uid'. Will it not interfere with add user script? No idea. As simo has suggested, what you are doing is essentially unsupported. If it happens to work, great, if it does not, then we really can't do anything more. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] allow trusted domains
On Wed, 2012-03-07 at 19:17 +0700, Victor Sudakov wrote: Colleagues, Is there a way to map all trusted domain users to the guest account? As if they were nonexistent users or users from untrusted domains. If I could maintain a list of domains for the samba server to trust, it would be fine too. Try 'map to guest = bad uid'. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] allow trusted domains
Andrew Bartlett wrote: Is there a way to map all trusted domain users to the guest account? As if they were nonexistent users or users from untrusted domains. If I could maintain a list of domains for the samba server to trust, it would be fine too. Try 'map to guest = bad uid'. Will it not interfere with add user script? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] allow trusted domains
Colleagues, Is there a way to map all trusted domain users to the guest account? As if they were nonexistent users or users from untrusted domains. If I could maintain a list of domains for the samba server to trust, it would be fine too. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] allow trusted domains
simo wrote: [dd] My question: if BERYLIUM trusts ANOTHERDOMAIN, and ANOTHERDOMAIN\WambatW tries to open a connection to my Samba server, what user will be looked up in /etc/passwd? It should be: ANOTHERDOMAIN\WambatW A Unix user with a slash in the login name? Sorry I doubt that because I have a script in smb.conf: add user script = /usr/sbin/pw useradd %u -m -Y -M 755 and the script's log shows that those users from trusted domains are being created as WambatW, not ANOTHERDOMAIN\WambatW. How/where can I see/debug the actual mapping happening? When using trusted domains you should run winbindd, relying on add user script is basically not supported/tested for trusted domain. This is very sad news. My add user script creates users in the NIS database which is made available to several Unix hosts. This is a very reliable technology: once a user is created, it remains rock solid. I feel very reluctant for the Unix user ids to depend upon some obscure IDMAP databases prone to corruption, and the availability of Windows domain controllers. Is there a way to map all trusted domain users to the guest account? So that they have access rights to public shares equal to those of nonexistent users? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] allow trusted domains
On Mon, 2012-02-27 at 14:07 +0700, Victor Sudakov wrote: As written in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html Where winbindd is not used Samba (smbd) uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming network traffic. This is done using the LoginID (account name) in the session setup request and passing it to the getpwnam() system function call. This call is implemented using the name service switch (NSS) mechanism on modern UNIX/Linux systems. By saying users and groups are local, we are implying that they are stored only on the local system, in the /etc/passwd and /etc/group respectively. For example, when the user BERYLIUM\WambatW tries to open a connection to a Samba server the incoming SessionSetupAndX request will make a system call to look up the user WambatW in the /etc/passwd file. My question: if BERYLIUM trusts ANOTHERDOMAIN, and ANOTHERDOMAIN\WambatW tries to open a connection to my Samba server, what user will be looked up in /etc/passwd? It should be: ANOTHERDOMAIN\WambatW -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] allow trusted domains
Andrew Bartlett wrote: As written in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html Where winbindd is not used Samba (smbd) uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming network traffic. This is done using the LoginID (account name) in the session setup request and passing it to the getpwnam() system function call. This call is implemented using the name service switch (NSS) mechanism on modern UNIX/Linux systems. By saying users and groups are local, we are implying that they are stored only on the local system, in the /etc/passwd and /etc/group respectively. For example, when the user BERYLIUM\WambatW tries to open a connection to a Samba server the incoming SessionSetupAndX request will make a system call to look up the user WambatW in the /etc/passwd file. My question: if BERYLIUM trusts ANOTHERDOMAIN, and ANOTHERDOMAIN\WambatW tries to open a connection to my Samba server, what user will be looked up in /etc/passwd? It should be: ANOTHERDOMAIN\WambatW A Unix user with a slash in the login name? Sorry I doubt that because I have a script in smb.conf: add user script = /usr/sbin/pw useradd %u -m -Y -M 755 and the script's log shows that those users from trusted domains are being created as WambatW, not ANOTHERDOMAIN\WambatW. How/where can I see/debug the actual mapping happening? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] allow trusted domains
On Sat, 2012-03-03 at 16:59 +0700, Victor Sudakov wrote: Andrew Bartlett wrote: As written in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html Where winbindd is not used Samba (smbd) uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming network traffic. This is done using the LoginID (account name) in the session setup request and passing it to the getpwnam() system function call. This call is implemented using the name service switch (NSS) mechanism on modern UNIX/Linux systems. By saying users and groups are local, we are implying that they are stored only on the local system, in the /etc/passwd and /etc/group respectively. For example, when the user BERYLIUM\WambatW tries to open a connection to a Samba server the incoming SessionSetupAndX request will make a system call to look up the user WambatW in the /etc/passwd file. My question: if BERYLIUM trusts ANOTHERDOMAIN, and ANOTHERDOMAIN\WambatW tries to open a connection to my Samba server, what user will be looked up in /etc/passwd? It should be: ANOTHERDOMAIN\WambatW A Unix user with a slash in the login name? Sorry I doubt that because I have a script in smb.conf: add user script = /usr/sbin/pw useradd %u -m -Y -M 755 and the script's log shows that those users from trusted domains are being created as WambatW, not ANOTHERDOMAIN\WambatW. How/where can I see/debug the actual mapping happening? When using trusted domains you should run winbindd, relying on add user script is basically not supported/tested for trusted domain. Simo. -- Simo Sorce Samba Team GPL Compliance Officer s...@samba.org Principal Software Engineer at Red Hat, Inc. s...@redhat.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] allow trusted domains
simo wrote: [dd] My question: if BERYLIUM trusts ANOTHERDOMAIN, and ANOTHERDOMAIN\WambatW tries to open a connection to my Samba server, what user will be looked up in /etc/passwd? It should be: ANOTHERDOMAIN\WambatW A Unix user with a slash in the login name? Sorry I doubt that because I have a script in smb.conf: add user script = /usr/sbin/pw useradd %u -m -Y -M 755 and the script's log shows that those users from trusted domains are being created as WambatW, not ANOTHERDOMAIN\WambatW. How/where can I see/debug the actual mapping happening? When using trusted domains you should run winbindd, relying on add user script is basically not supported/tested for trusted domain. This is very sad news. My add user script creates users in the NIS database which is made available to several Unix hosts. This is a very reliable technology: once a user is created, it remains rock solid. I feel very reluctant for the Unix user ids to depend upon some obscure IDMAP databases prone to corruption, and the availability of Windows domain controllers. Is there a way to map all trusted domain users to the guest account? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] allow trusted domains
Victor Sudakov wrote: My question: if BERYLIUM trusts ANOTHERDOMAIN, and ANOTHERDOMAIN\WambatW tries to open a connection to my Samba server, what user will be looked up in /etc/passwd? If nobody knows the answer, please tell me at least, what log I can study to figure out, which Windows user is mapped to which Unix user by smbd? Eventually, I would like to map all users from trusted domains to the guest account, it that possible? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] allow trusted domains
There is a samba compiled without winbind support, with the following options configured: workgroup = MYDOMAIN security = domain allow trusted domains = yes add user script = /usr/sbin/pw useradd %u -m -Y -M 755 When a Windows user MYDOMAIN\john connects to the samba server, he is mapped to the Unix user john. If there is no Unix user john, it is created by the add user script. How will the users OTHERDOMAIN\otheruser and especially OTHERDOMAIN\join be mapped/created? If OTHERDOMAIN\join is mapped to the same Unix user as MYDOMAIN\join, it's a big security hole. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] allow trusted domains
As written in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html Where winbindd is not used Samba (smbd) uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming network traffic. This is done using the LoginID (account name) in the session setup request and passing it to the getpwnam() system function call. This call is implemented using the name service switch (NSS) mechanism on modern UNIX/Linux systems. By saying users and groups are local, we are implying that they are stored only on the local system, in the /etc/passwd and /etc/group respectively. For example, when the user BERYLIUM\WambatW tries to open a connection to a Samba server the incoming SessionSetupAndX request will make a system call to look up the user WambatW in the /etc/passwd file. My question: if BERYLIUM trusts ANOTHERDOMAIN, and ANOTHERDOMAIN\WambatW tries to open a connection to my Samba server, what user will be looked up in /etc/passwd? Victor Sudakov wrote: There is a samba compiled without winbind support, with the following options configured: workgroup = MYDOMAIN security = domain allow trusted domains = yes add user script = /usr/sbin/pw useradd %u -m -Y -M 755 When a Windows user MYDOMAIN\john connects to the samba server, he is mapped to the Unix user john. If there is no Unix user john, it is created by the add user script. How will the users OTHERDOMAIN\otheruser and especially OTHERDOMAIN\join be mapped/created? If OTHERDOMAIN\join is mapped to the same Unix user as MYDOMAIN\join, it's a big security hole. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'allow trusted domains = no' and sidhistory = bad
After a fair amount of playing around with the config file, I seem to have found something that will work. My original configuration was: idmap backend = rid:MYDOMAIN=10-2147483640 idmap uid = 10-2147483640 idmap gid = 10-2147483640 The new config is: idmap backend = nss idmap config MYDOMAIN : backend = rid idmap config MYDOMAIN : range = 10-2147483640 After some testing I found that the foreign sids in the main domain were actually treated like they were on a separate domain, but due to my configuration they were getting pulled from the same pool. By splitting out the main domain into a separate idmap config section, I am making sure that only the sids from the main domain will be given numbers within that pool. The annoying part was trying to find a way to get the foreign sids to be completely ignored. I found that using tdb or tdb2 for idmap backend would not allow users to be resolved unless I specified the idmap uid/gid parameters, and in that configuration the foreign sids were still being assigned numbers, which is not desirable. I found that using the nss or adex backends seemed to do find in that they don't assign ids to the foreign sids, but still allow the lookup process to complete. At this point I prefer not to use the ad/adex backends since our domain is not setup consistently, and some users have gidNumber attributes where others do not (and I want to completely ignore these gidNumber attributes in favor of the ids generated by idmap_rid). Now, if only I could get https://bugzilla.samba.org/show_bug.cgi?id=6766 fixed I would be all set... On Fri, Nov 13, 2009 at 4:45 PM, Nick t...@2thebatcave.com wrote: We are in an environment where several AD domains are being consolidated into one larger domain using sidhistory. The samba winbind configuration is using 'allow trusted domains = no' as we do not care about what is in the other domains (as well as the problem that many of them are unreachable from other locations meaning winbind will choke completely if we don't disallow them). The symptom I am having is that when running groups as an AD user results in several errors id: cannot find name for group ID Upon some investigation, I found that those IDs references sids in the old domains (kept in the new domain with the sidhistory function). There are several errors in the logs Could not find domain for sid ..., which makes sense since it can't contact those old domains. Is there anyway to completely disable samba looking at the sidhistory (at least when 'allow trusted domains = no')? While part of the problem could be fixed by having samba properly do the reverse id resolution for the sids to the name on the new domain, that is problematic for us since we are using idmap_rid which would allow some id collisions due to the fact that there are multiple domains involved. There are a huge number of objects so I don't want to use idmap_hash or divide up the id pool within idmap_rid. Just for testing I tried using idmap_hash and it does not get rid of the errors. I'm assuming that setting 'allow trusted domains = yes' would allow resolution of those groups as long as the old domains were still available, however I cannot even test this since the majority of the trusted domains are unreachable and cause winbind to stop functioning altogether. I thought about hacking through the source code to remove sids from different domains when processing the supplementary groups and 'allow trusted domains = no', but it would be better if there was an official solution for this so I don't end up with some crazy unmaintainable patch. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] 'allow trusted domains = no' and sidhistory = bad
We are in an environment where several AD domains are being consolidated into one larger domain using sidhistory. The samba winbind configuration is using 'allow trusted domains = no' as we do not care about what is in the other domains (as well as the problem that many of them are unreachable from other locations meaning winbind will choke completely if we don't disallow them). The symptom I am having is that when running groups as an AD user results in several errors id: cannot find name for group ID Upon some investigation, I found that those IDs references sids in the old domains (kept in the new domain with the sidhistory function). There are several errors in the logs Could not find domain for sid ..., which makes sense since it can't contact those old domains. Is there anyway to completely disable samba looking at the sidhistory (at least when 'allow trusted domains = no')? While part of the problem could be fixed by having samba properly do the reverse id resolution for the sids to the name on the new domain, that is problematic for us since we are using idmap_rid which would allow some id collisions due to the fact that there are multiple domains involved. There are a huge number of objects so I don't want to use idmap_hash or divide up the id pool within idmap_rid. Just for testing I tried using idmap_hash and it does not get rid of the errors. I'm assuming that setting 'allow trusted domains = yes' would allow resolution of those groups as long as the old domains were still available, however I cannot even test this since the majority of the trusted domains are unreachable and cause winbind to stop functioning altogether. I thought about hacking through the source code to remove sids from different domains when processing the supplementary groups and 'allow trusted domains = no', but it would be better if there was an official solution for this so I don't end up with some crazy unmaintainable patch. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] allow trusted domains ... howto specifiy domains?
I am running a samba pdc on host debianpdc for domain linuxdom and have set allow trusted domains = yes in my [global] smb.conf file... now how do I specify which domains to trust? I would like to trust an NT4 domain nt4dom run by the host nt4pdc on the same network. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
