After extensive testing, the answer I come up with is "yes, and no."
Jonathan Johnson wrote:
I presently have a Samba server (3.0.21b) set up as a member server in
an NT4 domain (with a real Windows NT4 PDC). We are migrating to an
Active Directory domain (with a real Windows 2003 domain controller).
We have set up a two-way trust between the old NT4 domain "CLUNKY" and
the new ADS domain "SLEEK" (aka sleek.local). The Samba server is a
member of the CLUNKY domain (security = domain) and authentication is
against the PDC for the CLUNKY domain.
How can I ensure that users in both CLUNKY and SLEEK can access the
Samba server? Will joining the Samba server to SLEEK with security =
ADS allow this? Will Samba honor the domain trust?
If a share is not restricted with "valid users =", then the user in
SLEEK can access the share on the Samba server in CLUNKY. However, if
you have restrictions on the share such as
valid users = @CLUNKY+sales, CLUNKY+fred
then the user 'fred' in the SLEEK domain will NOT be able to access. You
can grant SLEEK+fred access by modifying:
valid users = @CLUNKY+sales, CLUNKY+fred, SLEEK+fred
so it appears that you can add users in trusted domains to the 'valid
users =' directive. However, groups of trusted domains don't work:
valid users = @CLUNKY+sales, @SLEEK+sales
If 'fred' is a member of the group SLEEK+sales, fred will NOT have
access (assuming the Samba server is in the CLUNKY domain).
-Jonathan Johnson
Sutinen Consulting, Inc.
www.sutinen.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
