Hi All: Excuse me for butting in here, but I'm planning a migration from WinNT 4 to Samba in the near future and this thread has caused me to worry a little.
Take the case that I'm planning: 3 Domains each to its own LAN (connected via 128k Frame Relay lines to form a WAN) Each domain currently has a NT 4 PDC and each domain "trusts" each other. How do I accomplish these "trusts" only using Samba PDCs? Meaning: If I rip out the NT Domains, replace the PDCs with Samba PDCs and rebuild new domains (new Domain Names, new NetBIOS names for the PDCs, etc.) How do I get the three domains to once again trust each other? Is there a Samba command to do this? Thanks, Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. > -----Original Message----- > From: Mathew McKernan [mailto:mathewmckernan@;optushome.com.au] > Sent: Monday, October 28, 2002 2:39 AM > To: Matthew Hannigan; Andrew Bartlett > Cc: Matthew Hannigan; [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: [Samba] auth to two diff PDCs? (success, sort of) > > > Hi Matthew, > > Andrew is talking about domain trusts here. When the client asks for a > connection to a share or the samba server itself, the samba > daemon will > check if the user is valid to the PDC. Domain trusts enable 2 > domains to > "know" each others users. > > However in some cases this is dangerous, in my situation at > work, we have 2 > LANs (physically seperate) and have seperate NT Domains for > that reason. > However we wanted to allow staff to logon to either domain > but have access > to their home drive. To solve this we ran 2 copies of samba > (installed to > different locations) and each copy is a member of the domain > they are to > serve. Then using the "interfaces" config option in smb.conf > we force each > copy of samba to bind to the LAN it serves. > > In your case it sounds as if you are running one LAN but with > 2 domains that > don't trust each other. Either establish a trust between the > two LANs, or > use the method above. You will need to set the name > differently for each > copy of Samba, using "netbios name" in smb.conf, or you will > get conflicts. > > Thanks > > Mathew > > > ----- Original Message ----- > From: "Matthew Hannigan" <[EMAIL PROTECTED]> > To: "Andrew Bartlett" <[EMAIL PROTECTED]> > Cc: "Matthew Hannigan" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Sent: Monday, October 28, 2002 5:25 PM > Subject: Re: [Samba] auth to two diff PDCs? (success, sort of) > > > > On Mon, Oct 28, 2002 at 04:56:03PM +1100, Andrew Bartlett wrote: > > > Andrew Bartlett wrote: > > > > > > > > Matthew Hannigan wrote: > > > > > > > > > > With a single server, settings "security = server" and > > > > > "password server = pdc1 pdc2', I can successfully > > > > > authenticate against two entirely different PDCs > > > > > depending on which order I put the two machines in > > > > > the 'password server' list. > > > > > > > > > > Is there someway of forcing clients from either > > > > > domain to authenticate against the 'right' pdc, > > > > > regardless of the order in the 'password server' > > > > > config? > > > > > > > > > > What is the algo for choosing auth server out of a > > > > > list, anyway? > > > > > > > > > > If so it'd be a nice cheap way of getting what > > > > > we would otherwise have to wait for trust relationship > > > > > support for. > > > > > > > > The reason we don't support this already is that while > the auth works, > a > > > > *lot* of other things break. > > > > > > But if one PDC trusts the other, then secrutiy=domain > will do this stuff > > > > Except that the users would have to be on the server, right? Since > > (according to the docs (smb.conf)) the network logon comes from the > > server, not the workstation. > > > > What precisely does 'on the server' mean anyway? In the smbpasswd > > file? We don't use that; we just have the unix user (/etc/passwd) > > > > Matt > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
smime.p7s
Description: application/pkcs7-signature