Subscribe

How to map one Windows domain (local) to another?

I have an issue which occured after moving from Samba to the NetApp. With Samba I had a connecting Windows PC which was not part of the default domain. Samba allows one to serve a unique configuration for each connecting system (eg. smb.conf.hostname1, smb.conf.hostname2). Previously, we were able to set a security setting of "share" instead of "server" with the connecting PC, which had a non-domain (local) account.

Present situation is the NetApp, but we do not seem to be able to create custom configuration files specific to the connecting client. If our default domain is XYZ, and the connecting machine is named ABC, we see a connected session as

192.168.0.100(ABC) (ABC\local_account - pcuser[guest])

What I would like to see is

192.168.0.100(ABC) (ABC\local_account - xyz_domain_account)

Where xyz_domain_account is an ID in the XYZ domain. I cannot seem to keep NetApp from mapping the connecting user to pcuser[guest]. I've tried fussing with /etc/usermap.cfg, but this seems to deal with mapping unix<->windows, and not windows<->windows. Is there any way to map a connecting Windows local account to a domain account? Would putting ABC in the domain search order list be of any help?

Re: How to map one Windows domain (local) to another?

I am not sure what you are asking. Do you want your filer to be a Windows member server in two different domains? If this is the case, I do not think this is possible. Can only be a member in one domain to my knowledge. What about using a trust relasionship between the domains?

Re: How to map one Windows domain (local) to another?

Have found a work around if you only need your host from a different domain to connect to the filerin a different domain.

Set the host to have a local account and configure snapdrive service to use this account. Create the CIFS share on the filer to use workgroup security.

Works for me.

Re: How to map one Windows domain (local) to another?

I believe the confusion might be in your interpretation of the 'cifs session' output. The user information there is a combination of the Windows ID and the UNIX ID. Since the "local_account" ID is not in the filer's /etc/passwd file, the "pcuser" ID is used. If you put the ID "local_account" in the /etc/passwd file, the cifs session output would appear as you expect. However, I don't believe that will resolve your issue.

I have a situation where a filer in domain XYZ is accessed by users that belong to domain NOP. To make this work, I had to set the global option:

cifs.universal_nested_groups.enable off

In this case, NOP is trusted by XYZ.