Hi Jochen, on another security issue, how do your samba servers authenticate to your idmap ldap backend server? Do you have to allow anonymous write access? I certinly would feel this was poor if that's the case. And you have listed only one LDAP server as your backend, will this not cause a big problem if it falls over? Can you specify more than one LDAP backend server?
thanks Andy Smith. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jochen Schmidt Posted At: 31 October 2003 11:59 Posted To: Samba Conversation: [Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though) Subject: Re: [Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though) Hi Christoph On 31 Oct 2003, Andrew Bartlett wrote: > On Fri, 2003-10-31 at 21:41, [EMAIL PROTECTED] wrote: > > Hi Jochen et al, > > > > that worked fine, though if I get it right everyone can now read the > > active directory structure (?) > > No, you still need to authenticate, but nothing stops an attacker from > 'stealing' the TCP/IP connection, if they control the network. If you want see what *everybody* can see try an "ldapsearch -x -b "dc=MYDOMAIN,dc=DE" -h adscontroller -p 389" on a UNIX-Box. > > Connecting to the samba machine results still in errors, but that may be > > something stupid on my behalf too... > > > > thanks for helping > > ~christoph > > > > > > connect_to_domain_password_server: unable to setup the NETLOGON > > credentials to machine ADC1. Error was : NT_STATUS_UNSUCCESSFUL. > > You will need to turn up the debug level - it will probably be something > simple... I've attcht my own configuration I use on an ADS Domain Member. The Winbind-Stuff comes from an other LDAP-Server and has no relation to the ADS-LDAP. If you don't use winbind you won't need the winbind section. You should first do the "kinit [EMAIL PROTECTED]" and then a "net ads join". Greetings Jochen -- -------------------------------------------------------------------- Jochen Schmidt [EMAIL PROTECTED] Mi||enux GmbH mobile: +49.175.5752483 Lilienthalstraße 2 phone: +49.711.88770.300 70825 Stuttgart-Korntal fax: +49.711.88770.349 -= linux without limits -=- http://linux.zSeries.org/ =- PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5 BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba