I had a task to share Unix resources between 2 Active Directory domains simultaneously.
Samba does not support multiple domains but why should it? Windows systems belong to one domain at a time. However it’s technically possible to share Unix resources between multiple domains.
This guide is designed for experienced users and requires solid Samba and Linux skills.
LDAP/Kerberos or WINBIND Integration
If you are using centralised user management on the Linux host via standard LDAP/Kerberos or WINBIND integration you only need 2 way trust between the domains. No configuration change should be needed on the Linux side although I cannot confirm this as I don’t have access to such a system.
Mapped Local Users
If you use local users on Linux and map them to certain AD users, beside 2 way trust you need special care. This is very popular and makes file sharing very easy amongst many users.
Your samba mapping file generally should look like this:
-snip- !user1 = MYDOMAIN\FirstName.LastName MYDOMAIN.COM\FirstName.LastName !user2 = MYDOMAIN\FirstName.LastName MYDOMAIN.COM\FirstName.LastName -snip-
Each line of the map file may be up to 1023 characters long so we can simply add
the other DOMAIN user to the same user mapping line in the following fashion:
-snip- !user1 = OLDOMAIN\FirstName.LastName OLDOMAIN.COM\FirstName.LastName NEWDOMAIN\FirstName.LastName NEWDOMAIN.COM\FirstName.LastName !user2 = OLDOMAIN\FirstName.LastName OLDOMAIN.COM\FirstName.LastName NEWDOMAIN\FirstName.LastName NEWDOMAIN.COM\FirstName.LastName -snip-
- 2 way trust between the domains is required here too
- the mapping file is processed line by line
- ! instructs samba to stop processing the file if the mapping was done
- modifying the mapping file doesn’t require samba service restart
This is one way of doing it, I found this to be the cleaner than having various mappings for the same user.
I have seen many guides on the Internet where users hardcode the AD server their Samba is supposed to connect to. This is wrong and if that server becomes unavailable you will be in trouble.
Adding * at the end of the line will give different meaning to the line. The specified server will be a preference only and if it cannot be reached Samba will do a DNS lookup to find AD controllers just as Windows systems do.
root@geeko~ # vi /etc/samba/smb.conf -snip- password server = preferred.AD.server.com * -snip-
You can find your AD controllers by DNS lookup too, one way of doing it:
root@geeko~ # host -t srv _kerberos._tcp.MYDOMAIN.COM _kerberos._tcp.MYDOMAIN.COM has SRV record 0 100 88 SERVER1.MYDOMAIN.COM. _kerberos._tcp.MYDOMAIN.COM has SRV record 0 100 88 SERVER2.MYDOMAIN.COM.