|
Active Directory integration on Samba shares
OK, so first the network environment.
Site is setup with two Windows Active Directory Environment Domains (let's call them DOMAINA and DOMAINB). DOMAINA and DOMAINB are each trusted domains of the other in the same forest (COMPANY.COM - so, DOMAINA.COMPANY.COM and DOMAINB.COMPANY.COM). I am Sys/Network/All-around whatever of DOMAINB. Changing off of an Active Directory domain is unfortunately not an option. I have a RHEL 3 file server that is part of DOMAINB. It has two NICs, one on my network, and one on DOMAINA's network. The two networks do not physically connect except through the File server and the Domain Controller of DOMAINB. (DOMAINA can only see the DOMAINB DC and the File server). Most of the shares on the File Server (let's call it FS1) are internal to DOMAINB. I can do some fudging with some name mapping and can restrict security to just members of DOMAINB. Even specific users as needed. However, there are a few shares that have to be shared with members of DOMAINA. This is where I run into the problem. I cannot get any type of authentication system setup in which users connecting from DOMAINA can only connect to the shares if they have access to connect. The closest thing (and this is terribly kludgey) is to setup separate smb.conf files for each user based on their security needs. But that only gives me share level control (which is marginally better than no control at all). I cannot get AD users or groups lined up with Linux groups whenever I have to get DOMAINA users involved. So...here's where I need help. I either need: a) a way of matching incoming users from DOMAINA to pre-defined users on FS1, giving me a form of security (not preferable) b) a way to use AD group security to apply security to linux shares (preferable) c) wipe linux off and make my file server a windows box (kidding, really). Help, thoughts, and advice is greatly appreciated. Regards, Ziggs |
Hi Ziggie,
I never try 2 domain before, but I believe after you'd join in the your linux server into domain, then you can configure PAM and nsswitch.conf, so you can login the server (i mean physically, not come through network via samba services) via winbind. Then you can set permission for each Unix file system permission using windows domain users. If you want to have more advance permission setting, mount the partition with acl option. I believe after you complete everything chown DOMAINA\\kstan yourfolder will be your solution. Regards, Ks |
I'm not able to do name mapping. I am simply a tree in the forest, and can't do much outside of my tree.
When trying to install UNIX services for Windows, the install errors out because it doesn't have access to the forest DC. Not a lot I can do about that, unfortunately. |
you no need to add the samba into every tree(all domain), just into 1 domain is sufficient. As long as Active Directory trust each other, then you will able to access entire forest.
|
Then maybe I'm missing something....
When I try to install NIS Server onto the Windows 2003 Domain Controller, it fails because it cannot modify the schema of the Forest Root Domain Controller (COMPANY.COM). Is there a way to configure PAM and nsswitch.conf without NIS Server for Windows that I'm not aware of? Thanks. |
Ziggie,
If you want, I can refer your question to an expert at SearchEnterpriseLinux.com. Let me know. |
Quote:
http://us3.samba.org/samba/docs/man/...in-member.html If you have any further questions. Just post. Have fun. |
I have winbind installed and running. It works beautifully for DOMAINB. DOMAINA, which is a trusted domain, not the actual domain, is where the problem comes from.
I can make an AD group, and give that AD group access using the valid_users switch in smb.conf. However, if I put a member of DOMAINA in that group, then that member doesn't translate correctly. As well, DOMAINB members of that group start having issues as well. Very perplexing. Linux_Dude: I don't know anything about SearchEnterpriseLinux.com, but if they can help I'm all for it. Thanks. |
| All times are GMT -5. The time now is 07:35 PM. |