RE: [Samba] winbind auth using ADS with domain trusts

I would be interested in contributing, but I have oh so many questions,
once I understand, I will document what I know. For myself, I am
totally not interested in ANY NT style domain functionality, but rather
full 100% pure Active Directory integration. I am now exploring PADL
stuff and Kerberos stuff along with either AD4Unix or SFU3.5. However,
I am concerned over PADL's lack of caching and I'm interested in
winbindd. =20

I'm also interested in automation of UID/GID generation perhaps with
IDMAP. I would want them written back to AD LDAP, rather than a
separate database. I don't know if it does this already.

I would also be interested in developing my own scheme to how UID/GID
are generated in correlation to SID, so I might avoid IDMAP (or change
it, mumuhuhuhaha).

- Joaquin Menchaca


-----Original Message-----
From: samba-bounces+letz_samba=3Drealmspace.com@lists.samba.or g
[mailto:samba-bounces+letz_samba=3Drealmspace.com@lists.samba.or g] On
Behalf Of John H Terpstra
Sent: Wednesday, November 23, 2005 2:25 PM
To: Shaun Kruger
Cc: samba@samba.org
Subject: Re: [Samba] winbind auth using ADS with domain trusts

On Wednesday 23 November 2005 14:34, you wrote:
> On 11/23/05, John H Terpstra <jht@samba.org> wrote:
> > On Wednesday 23 November 2005 14:03, Shaun Kruger wrote:
> > > In reading the documentation I havn't found anything that covers
the
> > > use of winbindd when authenticating against one domain (lets call
it
> > > 'A') while also allowing users from a domain trusted by A (lets
call it
> > > 'B').
> >
> > What documentation have you read so far?
>
> I've been spending alot of time with the Samba howto collection
> http://us4.samba.org/samba/docs/man/...TO-Collection/
> I've been reading about domain membership and winbindd

OK. So perhaps are you delving head-first into the mechanic's guide
before you=20
have mastered deployment? The book, "Samba-3 by Example" is designed to
help=20
people to deploy Samba-3 BEFORE they start to tinker with its arkane=20
features. (see http://www.samba.org/samba/docs/Samba3-ByExample.pdf)

Having a working system before tinkering makes it easier to observe the=20
effects of change, and thus aides and accelerates learning.

Chapter 7 of the ByExample book provides information on adding Samba
servers=20
that are domain members. Mastery of domain member servers will help you
with=20
interdomain trust handling.

In any case, the Samba3-HOWTO (aka Samba3-HOWTO-Collection)
(see http://www.samba.org/samba/docs/Samba3-HOWTO.pdf) has a few
chapters you=20
will need to refer to:

Chapter 18 describes how interdomain trusts can be established
- create interdomain trusts so that users from
one domain
can access resources in a foreign domain.

Chapter 11 describes group management concepts.

Chapter 12 describes the use of the 'net' command
- you will need to establish nested groups that
will be used
to permit users from trusted domains to access
resources=20
that are used in the trusting domain. If you do
not do this,=20
foreign domain users and groups will operate
with=20
independent UID/GID date thus necessitating
relaxation of=20
UNIX file system permissions so that local and
foreign users
can access the same resources.

Chapter 13 describes IDMAP functionality
- your foreign user and group SIDs must be
translated to
locally known UID/GID values - that is the role
of winbind.
However it can also be done without winbind -
in that case=20
the accounts must be capable of being resolved
locally on=20
the Samba server.

Chapter 14 describes user rights and privileges
- remote administration of a foreign domain is
possible
only through use of these facilities that were
new to
Samba 3.0.11.

Above all, you need to understand how in a pure Windows NT/200x world=20
interdomain trusts are used. My documentation does not try to impart
that=20
knowledge.

I am the first to admit that the HOWTO does not provide a neatly
integrated=20
guide to setting up a domain member server, nor does it provide a
detailed=20
document to describe use of interdomain file and directory access. I'd
much=20
appreciate it if someone would contribute a well documented chapter on
these=20
subjects.

Despite all this, I strongly believe that the domain controller, backup
domain=20
controller and domain membership chapters in the HOWTO are in need of=20
restructuring. I am working on the next generation documentation that
will=20
ulitmately replace these chapters - I just do not know when this will be

implemented due to other priorities.

I believe that the "Samba-3 by Example" is the best place for deployment

guidance and that the HOWTO should stick to explanation of how Samba
features=20
function and can be used. The purpose of the HOWTO is NOT to provide=20
documented deployment guidance. It is my intent to put further examples
of=20
use into the Samba-3 by Example book.

- John T.

--=20
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba