multiple smb domains possible?

Les Mikesell les at futuresource.com
Thu Sep 8 13:27:36 UTC 2005


On Thu, 2005-09-08 at 08:13, Brunnengraeber, Peter wrote:

>   Humm... I am not certain that you can unless you can figure out how to
> install two copies of Winbindd on the system.  I am not even sure if this is
> possible...

Thanks, but I'm not using winbindd - just the older pam_smb.  If they
work independently perhaps I could add winbindd.

> I would suggest that you create a Trust between the PDCs and the Active
> Directory.  Set it up so that your PDC will trust any users in the Active
> Directory. That should accomplish what you are attempting to do.

The trust exists and works for people using Windows products.  However
I don't think it gives you the ability to log into the wrong domain.
I think you have to authenticate with your own domain controller, then
the credentials work with the other domain.  My problem is that
I don't know who will be in each domain at any particular time.  I
just want to accept the password if the user exists and it is correct
for either one.

> The only snag that may exist is if the Active Directory was set up in
> "Native Mode", the security permissions are such that your NT PDC will not
> be able to communicate with the AD.  If by chance, the admin who setup your
> new AD used "Compatible" mode (which I believe is default) then you should
> be able to setup up the trust and all should be good.

It is working in compatible mode and the trust is working.  But if it
is supposed to be possible for a user in the other domain to log into
the wrong pdc I am doing something wrong.

-- 
   Les Mikesell
    les at futuresource.com





More information about the Pam-list mailing list