LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
Search this Thread
Old 10-09-2007, 01:00 PM   #1
Ziggie
Member
 
Registered: Nov 2005
Distribution: Red Hat AS 3
Posts: 49

Rep: Reputation: 15
Angry Active Directory integration on Samba shares


OK, so first the network environment.

Site is setup with two Windows Active Directory Environment Domains (let's call them DOMAINA and DOMAINB). DOMAINA and DOMAINB are each trusted domains of the other in the same forest (COMPANY.COM - so, DOMAINA.COMPANY.COM and DOMAINB.COMPANY.COM).

I am Sys/Network/All-around whatever of DOMAINB. Changing off of an Active Directory domain is unfortunately not an option. I have a RHEL 3 file server that is part of DOMAINB. It has two NICs, one on my network, and one on DOMAINA's network. The two networks do not physically connect except through the File server and the Domain Controller of DOMAINB. (DOMAINA can only see the DOMAINB DC and the File server).

Most of the shares on the File Server (let's call it FS1) are internal to DOMAINB. I can do some fudging with some name mapping and can restrict security to just members of DOMAINB. Even specific users as needed.

However, there are a few shares that have to be shared with members of DOMAINA. This is where I run into the problem. I cannot get any type of authentication system setup in which users connecting from DOMAINA can only connect to the shares if they have access to connect. The closest thing (and this is terribly kludgey) is to setup separate smb.conf files for each user based on their security needs. But that only gives me share level control (which is marginally better than no control at all). I cannot get AD users or groups lined up with Linux groups whenever I have to get DOMAINA users involved.

So...here's where I need help.

I either need:
a) a way of matching incoming users from DOMAINA to pre-defined users on FS1, giving me a form of security (not preferable)
b) a way to use AD group security to apply security to linux shares (preferable)
c) wipe linux off and make my file server a windows box (kidding, really).

Help, thoughts, and advice is greatly appreciated.

Regards,

Ziggs
 
Old 10-17-2007, 08:42 PM   #2
kstan
Member
 
Registered: Sep 2004
Location: Malaysia, Johor
Distribution: Dual boot MacOS X/Ubuntu 9.10
Posts: 851

Rep: Reputation: 31
Hi Ziggie,
I never try 2 domain before, but I believe after you'd join in the your linux server into domain, then you can configure PAM and nsswitch.conf, so you can login the server (i mean physically, not come through network via samba services) via winbind. Then you can set permission for each Unix file system permission using windows domain users.

If you want to have more advance permission setting, mount the partition with acl option.

I believe after you complete everything chown DOMAINA\\kstan yourfolder will be your solution.

Regards,
Ks
 
Old 10-18-2007, 08:35 AM   #3
Ziggie
Member
 
Registered: Nov 2005
Distribution: Red Hat AS 3
Posts: 49

Original Poster
Rep: Reputation: 15
I'm not able to do name mapping. I am simply a tree in the forest, and can't do much outside of my tree.

When trying to install UNIX services for Windows, the install errors out because it doesn't have access to the forest DC.

Not a lot I can do about that, unfortunately.
 
Old 10-18-2007, 08:04 PM   #4
kstan
Member
 
Registered: Sep 2004
Location: Malaysia, Johor
Distribution: Dual boot MacOS X/Ubuntu 9.10
Posts: 851

Rep: Reputation: 31
you no need to add the samba into every tree(all domain), just into 1 domain is sufficient. As long as Active Directory trust each other, then you will able to access entire forest.
 
Old 10-19-2007, 09:06 AM   #5
Ziggie
Member
 
Registered: Nov 2005
Distribution: Red Hat AS 3
Posts: 49

Original Poster
Rep: Reputation: 15
Then maybe I'm missing something....

When I try to install NIS Server onto the Windows 2003 Domain Controller, it fails because it cannot modify the schema of the Forest Root Domain Controller (COMPANY.COM).

Is there a way to configure PAM and nsswitch.conf without NIS Server for Windows that I'm not aware of?

Thanks.
 
Old 10-19-2007, 10:02 AM   #6
linux_dude_77
LQ Newbie
 
Registered: Oct 2007
Posts: 5

Rep: Reputation: 0
Ziggie,

If you want, I can refer your question to an expert at SearchEnterpriseLinux.com. Let me know.
 
Old 10-20-2007, 05:58 AM   #7
elcody02
Member
 
Registered: Jun 2007
Posts: 52

Rep: Reputation: 17
Quote:
Originally Posted by Ziggie View Post
Then maybe I'm missing something....

When I try to install NIS Server onto the Windows 2003 Domain Controller, it fails because it cannot modify the schema of the Forest Root Domain Controller (COMPANY.COM).

Is there a way to configure PAM and nsswitch.conf without NIS Server for Windows that I'm not aware of?

Thanks.
You need a stable mapping of SID/RID<=>Unix User/Group ID. This can be best acheived via winbind. If you want to have a stable mapping you should either use ldap to store the mappings or rid-mapping. You should find more information here:
http://us3.samba.org/samba/docs/man/...in-member.html

If you have any further questions. Just post.

Have fun.
 
Old 10-22-2007, 07:58 AM   #8
Ziggie
Member
 
Registered: Nov 2005
Distribution: Red Hat AS 3
Posts: 49

Original Poster
Rep: Reputation: 15
I have winbind installed and running. It works beautifully for DOMAINB. DOMAINA, which is a trusted domain, not the actual domain, is where the problem comes from.

I can make an AD group, and give that AD group access using the valid_users switch in smb.conf. However, if I put a member of DOMAINA in that group, then that member doesn't translate correctly. As well, DOMAINB members of that group start having issues as well.

Very perplexing.

Linux_Dude: I don't know anything about SearchEnterpriseLinux.com, but if they can help I'm all for it.

Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Need suggestions on software for integration with active directory mpriddy Linux - Software 2 03-05-2007 05:30 AM
Integration of RHEL with Active directory nj123 Linux - Enterprise 1 10-09-2006 07:14 AM
Active Directory 2003 Integration (Winbind dead) matthewhardwick Fedora 2 09-16-2006 04:54 PM
Active Directory Integration -- Out of the Box ibanix Linux - Distributions 1 07-26-2005 06:27 PM
No active Samba shares on linux karym6 Linux - Software 2 04-23-2004 08:44 AM


All times are GMT -5. The time now is 07:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration