Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] Winbind and Global Catalog

102 views
Skip to first unread message

Sven Anders

unread,
Aug 26, 2008, 4:59:49 AM8/26/08
to
Hello!

I have the following question:

Does winbind work with a Global Catalog?


To be more specific, I have the following scenario:

1. One AD Domain "GROUP" with a global catalog AD server (Windows 2003).

2. About 10 AD Domains "GROUP-1" ... "GROUP-10" (each Windows 2003),
representing 10 locations, which are joined to "GROUP".

This works well and every user, from each of the locations can
successfully use their account/profile.

3. One SAMBA server, which is successfully joined to "GROUP".

I now expected that a 'wbinfo -u' would list the accounts of all
domains (GROUP and GROUP-1, ..., GROUP-10).
Instead I only get accounts of the domain "GROUP".

The SAMBA server should work as an central transfer station
between the domains. Therefore I need every account on this server.

Do I missing some point or does it simply not work?

Regards
Sven

--
Sven Anders <and...@anduras.de> () Ascii Ribbon Campaign
/\ Support plain text e-mail
ANDURAS service solutions AG
Innstraße 71 - 94036 Passau - Germany
Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55

Rechtsform: Aktiengesellschaft - Sitz: Passau - Amtsgericht Passau HRB 6032
Mitglieder des Vorstands: Sven Anders, Marcus Junker
Vorsitzender des Aufsichtsrats: Mark Peters

signature.asc

Gerald (Jerry) Carter

unread,
Aug 26, 2008, 12:22:58 PM8/26/08
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sven,

> Does winbind work with a Global Catalog?

Winbind does not rely upon global catalog. I added
some search APi recently for GC support but there are
not currently being used.

> To be more specific, I have the following scenario:
>
> 1. One AD Domain "GROUP" with a global catalog AD server (Windows 2003).
>
> 2. About 10 AD Domains "GROUP-1" ... "GROUP-10" (each Windows 2003),
> representing 10 locations, which are joined to "GROUP".
>
> This works well and every user, from each of the locations can
> successfully use their account/profile.
>
> 3. One SAMBA server, which is successfully joined to "GROUP".
>
> I now expected that a 'wbinfo -u' would list the accounts of all
> domains (GROUP and GROUP-1, ..., GROUP-10).
> Instead I only get accounts of the domain "GROUP".
>
> The SAMBA server should work as an central transfer station
> between the domains. Therefore I need every account on
> this server.

This should work in spite of GC or not. But enumerating
users is really expensive and I wonder if you really have
to do that. But that is another topic.

What doesn "wbinfo -m"? Sounds more like and problem with the
in forest trusts. What Samba version are you running?

cheers, jerry
- --
=====================================================================
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFItC3iIR7qMdg1EfYRAiV7AJ0cD9YzwKoXltKmYKNDewBWKZz30ACgtyql
i5MgsAJGp+9Lggg9OL8oUPk=
=jjMj
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Sven Anders

unread,
Aug 27, 2008, 4:29:53 AM8/27/08
to
Gerald (Jerry) Carter schrieb:

> Sven,
>
>> Does winbind work with a Global Catalog?
>
> Winbind does not rely upon global catalog. I added
> some search APi recently for GC support but there are
> not currently being used.

What does this mean?
Does winbind do not use the global catalog at all?

> This should work in spite of GC or not. But enumerating
> users is really expensive and I wonder if you really have
> to do that. But that is another topic.

What other possibilities do I have? Some faster?

> What doesn "wbinfo -m"? Sounds more like and problem with the
> in forest trusts. What Samba version are you running?

I'm running Samba-3.0.28a.

The "wbinfo -m" command lists all domains (GROUP and GROUP1..GROUP10).

Isn't joining to the CG-domain (GROUP) enough? Do I have join to
each domain separatly?

Do you need more info? What else can I check?

signature.asc

Gerald (Jerry) Carter

unread,
Aug 27, 2008, 10:27:19 AM8/27/08
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sven Anders wrote:
> Gerald (Jerry) Carter schrieb:
>> Sven,
>>
>>> Does winbind work with a Global Catalog?
>> Winbind does not rely upon global catalog. I added
>> some search APi recently for GC support but there are
>> not currently being used.
>
> What does this mean?
> Does winbind do not use the global catalog at all?

Not currently.

>> This should work in spite of GC or not. But enumerating
>> users is really expensive and I wonder if you really have
>> to do that. But that is another topic.
>
> What other possibilities do I have? Some faster?
>
>> What doesn "wbinfo -m"? Sounds more like and problem with the
>> in forest trusts. What Samba version are you running?
>
> I'm running Samba-3.0.28a.

In the release notes for 3.2.0, you will see that the
support for domain and forest trusts was greatly improved.

Winbind and Active Directory Integration:
o Full support for Windows 2003 cross-forest, transitive trusts
and one-way domain trusts.
....

I'd suggest you give that version a try.

> The "wbinfo -m" command lists all domains
> (GROUP and GROUP1..GROUP10).
>
> Isn't joining to the CG-domain (GROUP) enough? Do I
> have join to each domain separatly?

It should be but we learned a lot during the work on 3.2.0.
Basically we use a 3step process to discover all possible
trust paths now in Winbind. I feel much more confident in
the trusted domain support in 3.2.x that previous releases.

cheers, jerry
- --
=====================================================================
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFItWRGIR7qMdg1EfYRAvUJAJ4gwC8far7qWtFDlQAcaqAiLD+3lQCePf5J
fH3c5CQMAS8DlNQ6p359fDY=
=Dr5K

Sven Anders

unread,
Sep 30, 2008, 4:47:26 AM9/30/08
to
Gerald (Jerry) Carter schrieb:

> Sven Anders wrote:
>> Gerald (Jerry) Carter schrieb:
>>> Sven,
>>>
>>>> Does winbind work with a Global Catalog?
>>> Winbind does not rely upon global catalog. I added
>>> some search APi recently for GC support but there are
>>> not currently being used.
>> What does this mean?
>> Does winbind do not use the global catalog at all?
>
> Not currently.
>
>>> This should work in spite of GC or not. But enumerating
>>> users is really expensive and I wonder if you really have
>>> to do that. But that is another topic.
>> What other possibilities do I have? Some faster?
>
>>> What doesn "wbinfo -m"? Sounds more like and problem with the
>>> in forest trusts. What Samba version are you running?
>> I'm running Samba-3.0.28a.
>
> In the release notes for 3.2.0, you will see that the
> support for domain and forest trusts was greatly improved.
>
> Winbind and Active Directory Integration:
> o Full support for Windows 2003 cross-forest, transitive trusts
> and one-way domain trusts.
> ....
>
> I'd suggest you give that version a try.

Thanks, with 3.2.3 it works like a charm!

Cheers, Sven

signature.asc
0 new messages