The Samba Team does not support a unified AAAA system backing multiple domains controlled by samba at this time (even though that's arguably the Holy Grail of corporate computing). You have to roll your own. Here's how I did it (with much help from several members of the Samba Team, gratefully appreciated):
WARNING THIS IS A HACK. IF YOU ARE READING THIS AFTER 2008-06-15 IT MAY BE OBSOLETE BY NOW. DO NOT PROPAGATE THIS FOREVER AS FOLK WISDOM. Thanks. First of all, you need a working WINS architecture. This is harder than it sounds but not too hard. #1 Shut down samba #2 Turn off port 445 in smb.conf #3 configure each of your PDCs to be a WINS server #4 edit wins.dat with a unix text editor adding records for each remote PDC "DOMAIN_B#1b" 0 ip.ad.dr.ess 66R "DOMAIN_B#1c" 0 ip.ad.dr.ess 66R "DOMAIN_B#1d" 0 ip.ad.dr.ess 66R "DOMAIN_B#1e" 0 ip.ad.dr.ess 66R "DOMAIN_B#00" 0 ip.ad.dr.ess 66R (etc. etc. etc. for all non-local domains and PDC addresses) #5 turn samba back on #6 use "net cache list", "net cache add" and "net cache del" to fix any problems I have been unable to establish interdomain trusts without WINS working. Period. OK, now you need to run winbind (smbd and nmbd used to be able to do this stuff without winbind, but not any more) and more importantly you need to strongly segregate your LDAP container objects. You see, when you try to establish an interdomain trust, samba no longer allows you to specify the name of the account that must exist on the remote PDC. The name of that trust *must* be the name of the requesting domain. This works fine until you have more than two domains, at which point it completely breaks down, because the trust account must have the SID of the local domain and the name of the remote domain (draw this out on paper if you don't see why it cannot work for more than two domains.) So, you need to build container objects for each of your domains, something like "ou=DOMAIN_A,dc=example,dc=com" and "ou=DOMAIN_B,dc=example,dc=com" and put all the machine and domain trust accounts into the appropriate container. Everything in the Domain_A container should have a sambaSID attribute that works for Domain_A, etc. and so forth for Domains B through Z. Now rig up your idmapping to look across the containers by putting this sort of stuff in smb.conf: # These are the domains we will talk to # one of them will be designated the default idmap domains = DOMAIN_A DOMAIN_B DOMAIN_C # # This is the domain that we can write uid/guid maps for # idmap alloc backend = ldap idmap alloc config:ldap_base_dn = ou=DOMAIN_A,dc=example,dc=com idmap alloc config:ldap_user_dn = cn=smbd,ou=DOMAIN_A,dc=example,dc=com idmap alloc config:ldap_url = ldaps://master.ldap.server.example.com/ idmap alloc config:range = 405000 - 409999 # # These are all the domain maps we have read access to # idmap config DOMAIN_A:default = yes idmap config DOMAIN_A:backend = ldap idmap config DOMAIN_A:ldap_user_dn = cn=smbd,ou=DOMAIN_A,dc=example,dc=com idmap config DOMAIN_A:ldap_base_dn = ou=DOMAIN_A,dc=example,dc=com idmap config DOMAIN_A:ldap_url = ldap://127.0.0.1/ idmap config DOMAIN_A:range = 405000 - 409999 # idmap config DOMAIN_B:readonly = yes idmap config DOMAIN_B:backend = ldap idmap config DOMAIN_B:ldap_user_dn = cn=smbd,ou=DOMAIN_B,dc=example,dc=com idmap config DOMAIN_B:ldap_base_dn = ou=DOMAIN_B,dc=example,dc=com idmap config DOMAIN_B:ldap_url = ldap://127.0.0.1/ idmap config DOMAIN_B:range = 415000 - 419999 # idmap config DOMAIN_C:readonly = yes idmap config DOMAIN_C:backend = ldap idmap config DOMAIN_C:ldap_user_dn = cn=smbd,ou=DOMAIN_C,dc=example,dc=com idmap config DOMAIN_C:ldap_base_dn = ou=DOMAIN_C,dc=example,dc=com idmap config DOMAIN_C:ldap_url = ldap://127.0.0.1/ idmap config DOMAIN_C:range = 425000 - 429999 # You're going to have to do this on all the PDCs with appropriate modifications (mostly just changing the "readonly" and "default" clauses, but also making your "alloc" section match your default domain) and then you'll have to set the password for the bind DNs in /etc/secrets.tdb using a bunch of "net idmap secret DOMAIN <password>" commands and one "net idmap secret alloc <password>". Then you'll be OK, right? Not so fast. Although you have specified in your smb.conf file the appropriate container for machine trusts ("ldap machine suffix = ou=Windows_Domain_A" for example) the code that looks for domain trusts does not use this parameter. Instead, it starts from the top of your tree (as specified by ldap suffix in smb.conf) and works down. If it finds more than one object with the name it's looking for it simply breaks, instead of checking to see if one of them might be appropriate or using a filter that references the sambaSID. Trust no workee. You'll need to use ACLs in your /etc/openldap/slapd.conf and separate bind DNs for each domain. At this point I have to caution you against making your LDAP tree too tidy. Many of the LDAP calls being made from samba have a "scope 2" parameter on them, at least according to OpenLDAP's logs. That means subtree searches will stop after going 2 levels deep on some calls, but perhaps not on others. You may need to have all your objects within 2 levels of the ldap_suffix if you want everything to work properly. I simply put all the samba objects for each domain (other than People and Groups, that is) in the domain-specific containers and that seems to work. Also be careful with your ACLs in slapd.conf... ACL processing is resource-intensive, and samba doesn't make particularly efficient queries. You can easily build ACLs that will ruin the performance of your LDAP service, possibly causing problems in the *nix name service switch entirely outside samba. Try several different approaches and test, test, test. Once you have an ACL-restricted LDAP tree that lets your samba PDCs see only the stuff that is relevant to the local domain (test *thoroughly* with ldapsearch) you will be able to establish and maintain interdomain trusts for any number of domains. Or, at least four, that's how many I have. Good luck; I apologize for the sketchiness of this information, but I am pressed for time. --Charlie On Mon, Jun 2, 2008 at 9:30 AM, Alex Crow <[EMAIL PROTECTED]> wrote: > Hi, > > I am having the exact same problem as the user quoted below - I have > 3.0.28a installed at both ends (I've tried 3.0.30 but that seems to make > wbinfo -t fail with "DOMAIN CONTROLLER NOT FOUND" errors). It's a > bidirectional trust - the end remote to me works fine but the local end > reports as below. wbinfo -u/g fails on both ends with "Error looking up > domain users". > > Here is the relevant part of my smb.conf on the local end: > > [global] > unix charset = LOCALE > workgroup = IFA_NET > netbios name = PDC > interfaces = eth0, lo > bind interfaces only = Yes > passdb backend = ldapsam:ldap://127.0.0.1 > username map = /etc/samba/smbusers > syslog = 0 > log file = /var/log/samba/%m > max log size = 0 > smb ports = 139 445 > name resolve order = wins lmhosts bcast hosts > time server = no > #printcap name = CUPS > show add printer wizard = Yes > enable privileges = yes > ldap suffix = dc=ifa,dc=net > ldap machine suffix = ou=Computers > ldap user suffix = ou=People > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap admin dn = cn=manager,dc=ifa,dc=net > ldap ssl = no > ldap timeout = 20 > idmap backend = ldap:ldap://127.0.0.1 > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind nested groups = yes > winbind trusted domains only = yes > winbind use default domain = no > winbind enum users = yes > winbind enum groups = yes > winbind cache time = 6000 > allow trusted domains = yes > map acl inherit = Yes > ea support = Yes > #printing = cups > # printer admin = root > wins support = yes > log level = 3 > domain logons = yes > domain master = yes > preferred master = yes > logon drive = H: > #os level = 35 > passdb expand explicit = yes > add user script = /usr/sbin/smbldap-useradd -m '%u' > delete user script = /usr/sbin/smbldap-userdel %u > add group script = /usr/sbin/smbldap-groupadd -p '%g' > delete group script = /usr/sbin/smbldap-groupdel '%g' > add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' > delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' > enable privileges = Yes > set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' > > and remote: > [global] > #unix charset = LOCALE > workgroup = INTEGRALIFE_NET > netbios name = DC > interfaces = eth1, lo > bind interfaces only = Yes > passdb backend = ldapsam:ldap://127.0.0.1 > logon drive = H: > logon home = \\%L\%U > logon path = \\%L\%U\profile > os level = 33 > #auth methods = guest sam winbind > username map = /etc/samba/smbusers > log level = 1 > syslog = 0 > log file = /var/log/samba/%m > max log size = 0 > smb ports = 139 > name resolve order = wins lmhosts bcast hosts > time server = Yes > printcap name = CUPS > show add printer wizard = Yes > #add user script = /usr/sbin/smbldap-useradd -m '%u' > delete user script = /usr/sbin/smbldap-userdel %u > add group script = /usr/sbin/smbldap-groupadd -p '%g' > delete group script = /usr/sbin/smbldap-groupdel '%g' > add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' > delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' > enable privileges = Yes > set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' > add machine script = /usr/sbin/smbldap-useradd -a -w '%u' > logon drive = H: > domain logons = Yes > preferred master = Yes > domain master = Yes > #wins support = Yes > wins server = 192.168.20.137 > wins proxy = no > ldap suffix = dc=integralife,dc=net > ldap machine suffix = ou=Computers,ou=Accounts > ldap user suffix = ou=People,ou=Accounts > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap admin dn = cn=Manager,dc=integralife,dc=net > ldap ssl = no > ldap timeout = 20 > idmap backend = ldap:ldap://127.0.0.1 > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind nested groups = yes > winbind use default domain = no > winbind trusted domains only = yes > winbind enum users = yes > winbind enum groups = yes > allow trusted domains = Yes > map acl inherit = Yes > ea support = Yes > disable spoolss = No > printing = cups > printer admin = root > > Any help I can get gratefully received! > > Thanks > > Alex > > On Wed, 2008-05-07 at 16:43 -0400, Charlie wrote: >> Greetings Sambistas! >> >> I can't seem to get domain trusts to work in both directions. Details >> follow. >> >> I have a network running many OSes on four geographically separate >> sites with an OpenLDAP authentication backbone. Desktops are windows >> XP authenticating to samba 3.0.25b servers which in turn are >> configured to use LDAP. Our net has been running samba in various >> flavors and versions for over ten years, and we have been running >> OpenLDAP for about seven years. >> >> Each physical site is a separate samba domain but all use the same >> LDAP backend data. All linux samba servers are running 3.0.25b, some >> of them using Red Hat native packages on RHEL5 and others using my own >> backported RPMs of the same. HP-UX servers run HP's CIFS9000 product >> which is essentially a samba fork. >> >> Each samba server has a local LDAP replica and a local slave BIND >> DNS server. PAM, NSS, and samba are all configured for automatic LDAP >> failover, this is tested and working. We use unencrypted LDAP on >> 127.0.0.1 as the primary (for speed) and LDAPS to the master server as >> secondary (for security). If I kill the local LDAP daemon samba >> continues to work fine, drawing passwords etc. from the master server >> over SSL. >> >> From the main site, I can do this: >> >> # net rpc trustdom list -Udomadmin >> Password: >> >> Trusted domains list: >> >> LA S-1-5-21-laSIDredacted >> MD S-1-5-21-mdSIDredacted >> MA S-1-5-21-maSIDredacted >> none >> >> Trusting domains list: >> >> MAIN S-1-5-21-LocalSIDredacted >> MA S-1-5-21-maSIDredacted >> LA S-1-5-21-laSIDredacted >> MD S-1-5-21-mdSIDredacted >> >> But, from the MD server, if I issue the same command, I get this: >> >> # net rpc trustdom list -Umdadmin >> Password: >> Trusted domains list: >> >> MAIN S-1-5-21-LocalSIDredacted >> MA S-1-5-21-maSIDredacted >> LA S-1-5-21-laSIDredacted >> none >> >> Trusting domains list: >> >> [2008/05/07 16:35:35, 0] utils/net_rpc.c:rpc_trustdom_list(6208) >> Couldn't enumerate accounts. Error was: NT_STATUS_ACCESS_DENIED >> >> I have been unable to find anything on the net that details the LDAP >> entries for interdomain trust accounts. I do not know if a single >> LDAP dn can be used to establish the trust in both directions or if I >> need two for each link in the mesh. If anyone could post examples of >> working LDAP accounts used for interdomain trust purposes I would be >> tremendously grateful! >> >> Thanks, >> --Charlie > -- > This message is intended only for the addressee and may contain > confidential information. Unless you are that person, you may not > disclose its contents or use it in any way and are requested to delete > the message along with any attachments and notify us immediately. > > "Transact" is operated by Integrated Financial Arrangements plc > Domain House, 5-7 Singer Street, London EC2A 4BQ > Tel: (020) 7608 4900 Fax: (020) 7608 1200 > (Registered office: as above; Registered in England and Wales under > number: 3727592) > Authorised and regulated by the Financial Services Authority (entered on > the FSA Register; number: 190856) > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba