winbind Across Trusted Domains

This topic has 1 reply, 1 voice, and was last updated 9 years, 9 months ago by Robert R..

Viewing 1 post (of 1 total)

Author

Posts
Robert R.
Participant

Mar 24, 2011 at 5:47 pm #153977

Environment:

New active directory forest
empty root domain: x.tld (Windows 2008 R2 domain controllers: dc01.x.tld and dc02.x.tld)
child domain: prod.x.tld (Windows 2008 R2 domain controllers: dcp01.x.tld and dcp02.x.tld)
child domain: office.x.tld (Windows 2008 R2 domain controllers: dco01.x.tld and dco02.x.tld)

All six domain controllers are VMware virtual machines currently running on the same hardware and in the same subnet (172.18.50.0), although OFFICE will be moved to another network at a later date.

User accounts reside in OFFICE, with User Principal Name (UPN) form of loginID @x.tld , and “Pre-Windows 2000” format of OFFICEloginID

A service account called winbind is set up in PROD : [email protected]

Red Hat Enterprise Linux (RHEL) host is bound to PROD using windbind. The plan is to use the user credentials in OFFICE to authenticate to the RHEL hosts in PROD (and DEV when that is added to the forest at a later date).

Problem: winbind cannot retrieve information about users and groups in OFFICE , but it can for the users and groups in PROD

Is it possible for winbind to work across trusted domains?

[[email protected] ~]# wbinfo -u
prodadmin
guest
krbtgt
x$ I]empty root domain, [FONT=Courier New]x.tld[/FONT] ?[/I
vcenteradmin
office$ I]trusted domain, [FONT=Courier New]office.x.tld[/FONT] ?[/I
winbind

[[email protected] ~]# wbinfo -g
domain computers
domain controllers
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
dnsadmins
dnsupdateproxy
dhcp users
dhcp administrators
netmon users
rdp-office I]this is the group created per [URL=”http://forums.petri.com/showthread.php?t=54303″%5Dforums.petri.com/showthread.php?t=54303%5B/URL%5D to allow office users to RDP into [FONT=Courier New]PROD[/FONT] servers[/I

[[email protected] ~]# id robertr
id: robertr: No such user

[[email protected] ~]# id [email protected]
id: [email protected]: No such user I]there is a delay of about 5 – 10 seconds before this result is returned[/I

[[email protected] ~]#
Author

Posts

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

Join the Conversation

We use cookies to improve your browsing experience.