Re: Samba with clients in multiple domains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Hi Robin,

I've not got a good starting point I'm afraid, but I was forced to deploy Samba under pressure of failing hardware so an urgent migration was done. We didn't get the IBM AIX 6.1 supplied one running at all, so we pulled down the version 3.4.3. We couldn't get that working as we wished, but it did at least share. It has been merrily allowing any request to mount (read-only) the shares. All was well with the function, but obviously it is not appropriate for the sensitive data was are sharing. The setting I had to put in was security=SHARE and on each share, we have guest login allowed.

My problem is that our clients are in at least two domains and the server is standalone, i.e. no LDAP or whatever connection set up on the operating system in /etc/netsrv.conf or anything. We are an outsourcing company so we have our servers&  users and the client company users all wanting to access the data.

I've tried reading the manual pages, but I have to understand much more about security and protocols than I do to get my foot in the door, so to speak. The more I try to find out, the more confused I get.  What I have tried has always prevented any access. Great for security, but useless for actually operating the business.

It has been parked for quite a while now especially as the failing hardware also allowed guest connections so I had nothing to compare to. I've now forgotten what attempts I have made, but now Internal Audit are on my case to lock it down. Can anyone point me in the right direction? I would prefer to grant access to an Active Directory group of users if that is possible, but then it needs to validate the user on more than one

My head hurts already.

Full config (slightly sanitised) can be posted if this is useful, but I didn't want to flood the thread first off.

documentation on the web is fine for configuring kerberos/smb/winbind for one domain, but I also found it hard to getthe sid/uid mapping right in a multiple domain environment. Idmap has changed so many times since smb 3.0 that it is hard to know which doc is fine... I hope the 3.6 way will be the definitive one :-)

Here is a smb.conf that I is working fine with two domain. servera is joined to AD kerberos DOMA.LOCAL. There is interdomain trust with DOMB.LOCAL.
        security = ads
        realm = DOMA.LOCAL
        password server =
        workgroup = DOMA
        winbind separator = +

        idmap backend = tdb
        idmap uid = 1000000-1999999
        idmap gid = 1000000-1999999
        idmap config DOMA : backend     = rid
        idmap config DOMA : range       = 10000 - 49999

        idmap config DOMB : backend  = rid
        idmap config DOMB : range    = 50000 - 99999

        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2
        wins server =

        printcap name = /etc/printcap
        load printers = no

        path = /home/myshare
        guest ok= no
        write list= @"group1" @"DOMB+group2"
        writeable = yes
        force create mode = 0770

Hope this helps,

Denis Cardon


Diligenta Limited (No. 5535029) is a subsidiary of Tata Consultancy Services Limited. Diligenta 2 Limited (No. 4087012) is a subsidiary of Diligenta Limited.
Both companies are registered in England and have their registered office at Lynch Wood, Peterborough, PE2 6FY and are authorised and regulated by the Financial Services Authority.

The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee and access to this e-mail by anyone else is unauthorised. Although this message and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Diligenta Limited or Diligenta 2 Limited for any loss or damage in any way arising from its use. Any views or opinions presented are solely those of the author and do not necessarily represent those of Diligenta Limited or Diligenta 2 Limited. Replies to this e-mail may be monitored for operational or business reasons.

Denis Cardon
Tranquil IT Systems
44 bvd des pas enchantés
44230 Saint Sébastien sur Loire
tel : +33 (0)

To unsubscribe from this list go to the following URL and read the

[Linux]     [Info Cyrus]     [LARTC]     [Bugtraq]     [Netfilter]     [Internet Dating Forums]     [RAID]     [Yosemite News]     [Photography]

Add to Google Powered by Linux