HPE Community
Operating System - Linux
1829582 Members
4646 Online
109992 Solutions
New Discussion

SAMBA veridying users against 2 different domains

 
Jonas Back_2
Super Advisor

‎09-24-2003 12:29 AM

‎09-24-2003 12:29 AM

SAMBA veridying users against 2 different domains

I'm responisble for migrating our WinNT domain (OLDDOMAIN) into a AD-domain on Win2003 servers (NEWDOMAIN). I'm a Windowsperson so I hope you can bare with me ;)

We have a couple of SAMBA servers on RH7.3 that runs Samba in OLDDOMAIN. The problem we have is that we have started migrating users from OLDDOMAIN to NEWDOMAIN and using SIDHistory. This seems to be working fine for all our Windowsshares but the users that had access to the Sambashare before can no longer access the Sambashares.

Any ideas for this?

I had one thought that it might be possible to verify users against two different domains at the same time? Since we can't reconfigure the Sambaserver to verufy users against just NEWDOMAIN because many users are still in OLDDOMAIN. Also our Linuxtech told me that Samba3 has support for AD but we're not moving to Samba3 yet for a couple of months and I need a quick solution to our problem ;)
0 Kudos
Reply
6 REPLIES 6
Steven E. Protter
Exalted Contributor

‎09-24-2003 03:26 AM

‎09-24-2003 03:26 AM

Re: SAMBA veridying users against 2 different domains

Your smb.conf configuration is set to validate users on the old domain.

The best way to solve this problem is to stop removing users from the old domain controller.

You can also stop validating users off the domain controllers during the transition.

You'll need to have a user id on the Linux boxes for all users and run this command for each of them as root.

smbpasswd -a

This is a pain, but it gets you through transition without a Samba Upgrade.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Jonas Back_2
Super Advisor

‎09-24-2003 03:51 AM

‎09-24-2003 03:51 AM

Re: SAMBA veridying users against 2 different domains

Thanks very much for the help.

I just checked and it seems like the old account in the OLDDOMAIN wasn't removed nor disabled. However, the user had to change their password at first login at the NEWDOMAIN. Could this be the cause?

And your suggestion to verify users locally, if you put the same username and password as they have in the domain, will it ask for the username/password when they try to connect to the share or not?
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎09-24-2003 04:23 AM

‎09-24-2003 04:23 AM

Re: SAMBA veridying users against 2 different domains

This is a windows question and the fact I have one private customer thats a windows shop plus a wndows lab in my basement does not qualify me to really answer it.

But what the heck, its only bytes on a disk.

You might want to convert olddomain to a backup domain controller, with the primary being the Windows 2003 server. It should be possible with trust relationships to maintain membership in the old domain and be backup domain controller in the new one.

This will service the old domain but provide access to all on those samba shares. This is a much more elegant solution than my first one. If it works.


SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Jonas Back_2
Super Advisor

‎09-24-2003 05:10 AM

‎09-24-2003 05:10 AM

Re: SAMBA veridying users against 2 different domains

Actually we do have trust between the domains. That's why the users still can access the Windows boxes.

But what about the other solution to create local accounts on the Linux boxes? Will this present a loginbox asking for username/password to the user?

I guess I could try with our Linux tech guy but he's away for the rest of the week and would be nice to prepare some for him.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎09-24-2003 05:23 AM

‎09-24-2003 05:23 AM

Re: SAMBA veridying users against 2 different domains

If you change smb.conf and stop validating users on the primary domain controller, when the users try and connect to a Linux share, they will be prompted for a password.

This is better than not having access at all.

They will not be able to change that password without having shell access on the Linux box. This puts the burden of maintaining passwords on the Linux administrator.

After changing smb.conf

service samba restart

implements the changes.



SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎09-24-2003 05:25 AM

‎09-24-2003 05:25 AM

Re: SAMBA veridying users against 2 different domains

Actually users may be able to change their Linux passwords if you let swat run via httpd server. We don't do that because of security concerns.

bzzz.

brain lock.

SEP
Works for points....
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.