Re: allow trusted domains

[simo <idra@xxxxxxxxx>]

On Sat, 2012-03-03 at 16:59 +0700, Victor Sudakov wrote: 
> Andrew Bartlett wrote:
> > > As written in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
> > > 
> > > 	"Where winbindd is not used Samba (smbd) uses the underlying
> > > 	UNIX/Linux mechanisms to resolve the identity of incoming network
> > > 	traffic. This is done using the LoginID (account name) in the session
> > > 	setup request and passing it to the getpwnam() system function call.
> > > 	This call is implemented using the name service switch (NSS) mechanism
> > > 	on modern UNIX/Linux systems. By saying "users and groups are local,"
> > > 	we are implying that they are stored only on the local system, in the
> > > 	/etc/passwd and /etc/group respectively.
> > > 
> > > 	For example, when the user BERYLIUM\WambatW tries to open a connection
> > > 	to a Samba server the incoming SessionSetupAndX request will make a
> > > 	system call to look up the user WambatW in the /etc/passwd file. "
> > > 
> > > My question: if BERYLIUM trusts ANOTHERDOMAIN, and
> > > ANOTHERDOMAIN\WambatW tries to open a connection to my Samba server,
> > > what user will be looked up in /etc/passwd?
> > 
> > It should be:
> > ANOTHERDOMAIN\WambatW
> 
> A Unix user with a slash in the login name? Sorry I doubt that because
> I have a script in smb.conf:
> 
> add user script = /usr/sbin/pw useradd %u -m -Y -M 755
> 
> and the script's log shows that those users from trusted domains are
> being created as "WambatW", not "ANOTHERDOMAIN\WambatW". 
> 
> How/where can I see/debug the actual mapping happening?

When using trusted domains you should run winbindd, relying on add user
script is basically not supported/tested for trusted domain.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo@xxxxxxxxx>
Principal Software Engineer at Red Hat, Inc. <simo@xxxxxxxxxx>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba