Operating System - HP-UX
1833875 Members
1637 Online
110063 Solutions
New Discussion

Samba to support multiple NT domains/active directory

 
SOLVED
Go to solution
Ian Foster_2
Frequent Advisor

Samba to support multiple NT domains/active directory

We currently have a number of Unix servers (HP and others) running older versions of Samba (2.2/2.3) which authenticate users on our current NT4 domain via the PDC (security=share, though I think this is probably bad practice anyway).

Our existing NT4 domain and that of another company are shortly to be migrated to a new Active Directory 'Forest' which will require that the Samba services can be accessed by users both on the existing NT4 domains and the new AD domain during the transition. I believe that the latest stable version of Samba V3.06 support AD and multiple domains; has anybody any experience with such a setup or any general pointers which may help us on our way ?

Also as currently authentication is pass through (ie. the users unix username matches the NT4 domain username) we have an issue as the project calls for the new AD domain usernames to be of the format user.name@domain. Will this format cause a problem in terms of changing the unix username to match ? Alternately can we use some sort of username mapping to translate the new usernames to the old unix names ?

I have a mountain of documentation to look at on Samba 3.06 and AD but any general advice from anybody who has already been down this route would be greatly appreciated.
2 REPLIES 2
eric roseme
Respected Contributor
Solution

Re: Samba to support multiple NT domains/active directory

Hi Ian,

1. CIFS/Samba can only join one domain, because the domain trust password is kept in the secrets.tdb file, of which there can only be one (in case you were thinking of using an smb.conf include for multiple server profiles).
2. CIFS/Samba honors Windows domain trusts. It seems likely that in this migration your NT4 domains will be trusted by your ADS domains (and/or vice-versa), so you should have CIFS/Samba access.
3. "security=share" does not utilize domain membership for pass-through auth-n. You would need "security=domain" for that. If your server(s) are "security=share", then the auth-n is usually by unencrypted password to smbpasswd. So check to see if you are really domain members (unless you have some very customized config).
4. I have a slideset from HPworld that I gave for CIFS/Samba 3.0.5 config and mgt. Let me know if you want it.
4. You will not be able to use implicit username mapping with a user.name Windows username. You can either map them manually in the usermap file, or use winbind (automatic mapping process). If you are running multiple CIFS/Samba servers, then you need to check out the above-mentioned slide set to understand the winbind mapping issues related to that config.

HP CIFS Server will be released on Samba 3.0.5-3.0.6 (not sure which one yet) in November. We have a test version out at: http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=CIFSTP3

Eric Roseme
Ian Foster_2
Frequent Advisor

Re: Samba to support multiple NT domains/active directory

Thanks for the info Eric. Apologies for the delay in assigning points and closing the thread.