samba-users August 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] How to configure winbind to work with t

Re: [Samba] How to configure winbind to work with two domain controllers?

From: Gaiseric Vandal <gaiseric.vandal_at_nospam>
Date: Wed Aug 11 2010 - 16:10:20 GMT
To: samba@lists.samba.org

You linux server need to be in one domain only. On the windows domain
controllers, you can establish trusts between the domains.

On your linux server you may need to specify separate idmap parameters
for each domain. Based on "man idmap_ad" it might look something like

...
idmap domains = Domain1 Domain2
...
idmap config Domain1 : backend = ad
idmap config Domain1 : range = 10001-20000
...
idmap config Domain2 : backend = ad
idmap config Domain2 : range = 20001-30000
...

On 08/11/2010 10:36 AM, Sergey Stepanov wrote:
> Hello
>
> I have two domain controllers on win2k3 (say srv1.domain1 and
> srv2.domain2) and winbind runnning on 3rd linux server (
>
> When I put "workgroup = domain1" in smb.conf, i can work with domain1
> only, i.e.
> # ntlm_auth --username=dom1user --domain=domain1 --password=goodpassword
> NT_STATUS_OK: Success (0x0)
> but with domain2 fails:
> # ntlm_auth --username=dom2user --domain=domain2 --password=goodpassword
> NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
>
> When i change workgroup to "workgroup = domain2", the things changed:
> domain1 fails:
> # ntlm_auth --username=dom1user --domain=domain1 --password=goodpassword
> NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
> domain2 is ok:
> # ntlm_auth --username=dom2user --domain=domain2 --password=goodpassword
> NT_STATUS_OK: Success (0x0)
>
> Please, help, how to tell winbind to work with both domain controllers.
>
> winbind and ntlm_auth built from RHEL/CENTOS 5.5 srpm:
> # /usr/bin/ntlm_auth -V Version 3.0.33-3.28
> /usr/sbin/winbindd -V
> Version 3.0.33-3.28
>
> kerberos is not used.
>
> sample smb.conf:
> [global]
> winbind separator = +
> winbind use default domain = no
> winbind enum users = no
> winbind enum groups = no
> winbind use default domain = no
> security = domain
> encrypt passwords = yes wins support = no
> enhanced browsing = no
> domain master = no
> domain logons = no
> local master = no
> preferred master = no
> name resolve order = lmhosts
> auth methods = winbind
> workgroup = domain1 # or domain2
> netbios name = SERVER
> password server = ip1 ip2 * # or without *
>

-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba