Trusted domain with different short name to DNS name.

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Trusted domain with different short name to DNS name.

Samba - General mailing list
Hey,

I have 2 trusted domains to deal with, "DEV" and "TODEV", and I have configured smb.conf like this:-

[global]
 workgroup = MAIN
 security = ADS
 realm = MAIN.DOMAIN.LOCAL

 idmap config *:backend = tdb
 idmap config *:range = 95000-99999
 idmap config MAIN:backend = rid
 idmap config MAIN:range = 100000-999999
 idmap config DEV:backend = rid
 idmap config DEV:range = 2000000-2999999
 idmap config TODEV:backend = rid
 idmap config TODEV:range = 3000000-3999999

 winbind trusted domains only = no
 winbind use default domain = yes
 winbind refresh tickets = yes

 template shell = /bin/bash
 template homedir = /home/%D/%U

The issue is that "TODEV" is the short name, while the DNS name is to.dev.domain.local.... I can see group memberships in "DEV", but not in TODEV... presumably because there's no way for Samba to map the TODEV short name to a DNS "SRV" query to find the LDAP server details.

What would be the correct way to go about this when the domain short name, and the DNS don't match?

--
A. James Lewis ([hidden email] (mailto:[hidden email]))
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Trusted domain with different short name to DNS name.

Samba - General mailing list
On Thu, 28 Sep 2017 13:57:25 +0000
"A. James Lewis via samba" <[hidden email]> wrote:

> Hey,
>
> I have 2 trusted domains to deal with, "DEV" and "TODEV", and I have
> configured smb.conf like this:-
>
> [global]
>  workgroup = MAIN
>  security = ADS
>  realm = MAIN.DOMAIN.LOCAL
>
>  idmap config *:backend = tdb
>  idmap config *:range = 95000-99999
>  idmap config MAIN:backend = rid
>  idmap config MAIN:range = 100000-999999
>  idmap config DEV:backend = rid
>  idmap config DEV:range = 2000000-2999999
>  idmap config TODEV:backend = rid
>  idmap config TODEV:range = 3000000-3999999
>
>  winbind trusted domains only = no
>  winbind use default domain = yes
>  winbind refresh tickets = yes
>
>  template shell = /bin/bash
>  template homedir = /home/%D/%U
>
> The issue is that "TODEV" is the short name, while the DNS name is
> to.dev.domain.local.... I can see group memberships in "DEV", but not
> in TODEV... presumably because there's no way for Samba to map the
> TODEV short name to a DNS "SRV" query to find the LDAP server details.
>
> What would be the correct way to go about this when the domain short
> name, and the DNS don't match?
>

What version of Samba ?
Are the trusts two way ?

You should remove 'winbind use default domain'

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Trusted domain with different short name to DNS name.

Samba - General mailing list
September 28, 2017 3:32 PM, "Rowland Penny via samba" <[hidden email]> wrote:

> On Thu, 28 Sep 2017 13:57:25 +0000
> "A. James Lewis via samba" <[hidden email]> wrote:
>
>> Hey,
>>
>> I have 2 trusted domains to deal with, "DEV" and "TODEV", and I have
>> configured smb.conf like this:-
>>
>> [global]
>> workgroup = MAIN
>> security = ADS
>> realm = MAIN.DOMAIN.LOCAL
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 95000-99999
>> idmap config MAIN:backend = rid
>> idmap config MAIN:range = 100000-999999
>> idmap config DEV:backend = rid
>> idmap config DEV:range = 2000000-2999999
>> idmap config TODEV:backend = rid
>> idmap config TODEV:range = 3000000-3999999
>>
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind refresh tickets = yes
>>
>> template shell = /bin/bash
>> template homedir = /home/%D/%U
>>
>> The issue is that "TODEV" is the short name, while the DNS name is
>> to.dev.domain.local.... I can see group memberships in "DEV", but not
>> in TODEV... presumably because there's no way for Samba to map the
>> TODEV short name to a DNS "SRV" query to find the LDAP server details.
>>
>> What would be the correct way to go about this when the domain short
>> name, and the DNS don't match?
>
> What version of Samba ?
> Are the trusts two way ?
>
> You should remove 'winbind use default domain'
>
> Rowland
>
> --


I don't believe it's a two way trust, since the "MAIN" domain is the authentication domain, while the DEV/TODEV domains contain their own resources but the MAIN domain does not trust users in the DEV/TODEV domains.

As I say, it works with DEV, if I run wbinfo -r jlewis, I can see my group memberships in DEV, but not TODEV.

--
A. James Lewis ([hidden email])
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Trusted domain with different short name to DNS name.

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 2017-09-28 at 13:57 +0000, A. James Lewis via samba wrote:
> Hey,
>
> I have 2 trusted domains to deal with, "DEV" and "TODEV", and I have configured smb.conf like this:-

> The issue is that "TODEV" is the short name, while the DNS name is to.dev.domain.local.... I can see group memberships in "DEV", but not in TODEV... presumably because there's no way for Samba to map the TODEV short name to a DNS "SRV" query to find the LDAP server details.
>
> What would be the correct way to go about this when the domain short name, and the DNS don't match?

We generally don't make simplistic mappings like that.  We connect to
the domain and ask it for both of its names.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Trusted domain with different short name to DNS name.

Samba - General mailing list
September 28, 2017 8:52 PM, "Andrew Bartlett" <[hidden email]> wrote:

> On Thu, 2017-09-28 at 13:57 +0000, A. James Lewis via samba wrote:
>
>> Hey,
>>
>> I have 2 trusted domains to deal with, "DEV" and "TODEV", and I have configured smb.conf like
>> this:-
>>
>> The issue is that "TODEV" is the short name, while the DNS name is to.dev.domain.local.... I can
>> see group memberships in "DEV", but not in TODEV... presumably because there's no way for Samba to
>> map the TODEV short name to a DNS "SRV" query to find the LDAP server details.
>>
>> What would be the correct way to go about this when the domain short name, and the DNS don't match?
>
> We generally don't make simplistic mappings like that. We connect to
> the domain and ask it for both of its names.
>
> Andrew Bartlett
>

OK, but I'm slightly lost trying to work out how it knows the domain exists in the first place, or what it's DNS name is... does it get that through the main domain, or is there some other magic that occurs, since it definitely can't get from TODEV to to.dev, I don't think at least.



--
A. James Lewis ([hidden email])
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba