Announcement

Collapse
No announcement yet.

winbind Across Trusted Domains

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • winbind Across Trusted Domains

    Environment:

    New active directory forest
    empty root domain: x.tld (Windows 2008 R2 domain controllers: dc01.x.tld and dc02.x.tld)
    child domain: prod.x.tld (Windows 2008 R2 domain controllers: dcp01.x.tld and dcp02.x.tld)
    child domain: office.x.tld (Windows 2008 R2 domain controllers: dco01.x.tld and dco02.x.tld)

    All six domain controllers are VMware virtual machines currently running on the same hardware and in the same subnet (172.18.50.0), although OFFICE will be moved to another network at a later date.

    User accounts reside in OFFICE, with User Principal Name (UPN) form of loginID@x.tld , and "Pre-Windows 2000" format of OFFICE\loginID

    A service account called winbind is set up in PROD : [email protected]

    Red Hat Enterprise Linux (RHEL) host is bound to PROD using windbind. The plan is to use the user credentials in OFFICE to authenticate to the RHEL hosts in PROD (and DEV when that is added to the forest at a later date).

    Problem: winbind cannot retrieve information about users and groups in OFFICE , but it can for the users and groups in PROD

    Is it possible for winbind to work across trusted domains?
    [[email protected] ~]# wbinfo -u
    prodadmin
    guest
    krbtgt
    x$ [empty root domain, x.tld ?]
    vcenteradmin
    office$ [trusted domain, office.x.tld ?]
    winbind


    [[email protected] ~]# wbinfo -g
    domain computers
    domain controllers
    cert publishers
    domain admins
    domain users
    domain guests
    group policy creator owners
    ras and ias servers
    allowed rodc password replication group
    denied rodc password replication group
    read-only domain controllers
    dnsadmins
    dnsupdateproxy
    dhcp users
    dhcp administrators
    netmon users
    rdp-office [this is the group created per forums.petri.com/showthread.php?t=54303 to allow office users to RDP into PROD servers]



    [[email protected] ~]# id robertr
    id: robertr: No such user


    [[email protected] ~]# id [email protected]
    id: [email protected]: No such user [there is a delay of about 5 - 10 seconds before this result is returned]

    [[email protected] ~]#
    Attached Files
    Last edited by Robert R.; 25th March 2011, 01:19.

  • #2
    Re: winbind Across Trusted Domains

    I'm not going to pretend to understand what the Unix admins did, but the workaround at this point is to have the users log in with their credentials in the format of

    OFFICE+userID

    when they need to access Unix/Linux hosts and applications.

    Logging into Windows hosts and applications works as expected with OFFICE\userID and userID@x.tld credentials.

    Comment

    Working...
    X