Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Site is setup with two Windows Active Directory Environment Domains (let's call them DOMAINA and DOMAINB). DOMAINA and DOMAINB are each trusted domains of the other in the same forest (COMPANY.COM - so, DOMAINA.COMPANY.COM and DOMAINB.COMPANY.COM).
I am Sys/Network/All-around whatever of DOMAINB. Changing off of an Active Directory domain is unfortunately not an option. I have a RHEL 3 file server that is part of DOMAINB. It has two NICs, one on my network, and one on DOMAINA's network. The two networks do not physically connect except through the File server and the Domain Controller of DOMAINB. (DOMAINA can only see the DOMAINB DC and the File server).
Most of the shares on the File Server (let's call it FS1) are internal to DOMAINB. I can do some fudging with some name mapping and can restrict security to just members of DOMAINB. Even specific users as needed.
However, there are a few shares that have to be shared with members of DOMAINA. This is where I run into the problem. I cannot get any type of authentication system setup in which users connecting from DOMAINA can only connect to the shares if they have access to connect. The closest thing (and this is terribly kludgey) is to setup separate smb.conf files for each user based on their security needs. But that only gives me share level control (which is marginally better than no control at all). I cannot get AD users or groups lined up with Linux groups whenever I have to get DOMAINA users involved.
So...here's where I need help.
I either need:
a) a way of matching incoming users from DOMAINA to pre-defined users on FS1, giving me a form of security (not preferable)
b) a way to use AD group security to apply security to linux shares (preferable)
c) wipe linux off and make my file server a windows box (kidding, really).
Help, thoughts, and advice is greatly appreciated.
I never try 2 domain before, but I believe after you'd join in the your linux server into domain, then you can configure PAM and nsswitch.conf, so you can login the server (i mean physically, not come through network via samba services) via winbind. Then you can set permission for each Unix file system permission using windows domain users.
If you want to have more advance permission setting, mount the partition with acl option.
I believe after you complete everything chown DOMAINA\\kstan yourfolder will be your solution.
When I try to install NIS Server onto the Windows 2003 Domain Controller, it fails because it cannot modify the schema of the Forest Root Domain Controller (COMPANY.COM).
Is there a way to configure PAM and nsswitch.conf without NIS Server for Windows that I'm not aware of?
You need a stable mapping of SID/RID<=>Unix User/Group ID. This can be best acheived via winbind. If you want to have a stable mapping you should either use ldap to store the mappings or rid-mapping. You should find more information here: http://us3.samba.org/samba/docs/man/...in-member.html
I have winbind installed and running. It works beautifully for DOMAINB. DOMAINA, which is a trusted domain, not the actual domain, is where the problem comes from.
I can make an AD group, and give that AD group access using the valid_users switch in smb.conf. However, if I put a member of DOMAINA in that group, then that member doesn't translate correctly. As well, DOMAINB members of that group start having issues as well.
Linux_Dude: I don't know anything about SearchEnterpriseLinux.com, but if they can help I'm all for it.