Dual Domain Membership in UNIX

Clocker

Clocker

Storage? I am Storage!
Joined
Jan 14, 2002
Messages
3,554
Location
USA
Hey All-

The IT dept. here at work is giving me a hard time about one of the UNIX machines I use (at a remote location). They are telling me it can be a member of only one domain (the one defined by the remote location) and that I won't be able to access any files I have on the other domain (at my normal location).

Is this true? Is there any reason a UNIX box can't access two domains at the same time? I have a home directory on Domain X and want to access files in that domain from Domain Y.

Thanks,
C
 
H

honold

Storage is cool
Joined
Nov 14, 2002
Messages
764
if you only need to access files you don't have to be a member of the domain. just join the workgroup and use your full domain name in your login.

never looked into dual domain samba, as windows doesn't support dual membership and workgroups do the trick just fine.
 
Clocker

Clocker

Storage? I am Storage!
Joined
Jan 14, 2002
Messages
3,554
Location
USA
As far as I know, it is an all HP-UX 11 Unix system.

Thanks for any advice you can provide,
C
 
Mercutio

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,269
Location
I am omnipresent
Probably NFS then. There are a couple of USENIX whitepapers on dual NFS domain security. You can point your IT people to them, but they may very well have a technical reason for not being able to do what you want.
 
Howell

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
Mercutio said:
Are we talking about NFS administrative domains or Windows security domains?
Click to expand...

For all we know it could be DNS domains. Not that that makes any more sense. Clocker, can you give us an example of a "domain name"?
 
Clocker

Clocker

Storage? I am Storage!
Joined
Jan 14, 2002
Messages
3,554
Location
USA
cadh0062.jprfe.nagme.gm.com

Is an example of what the domain name of one of my machines might look like...

C
 
H

honold

Storage is cool
Joined
Nov 14, 2002
Messages
764
domain = windows workgroup that uses centralized authentication on a server (such as win2k server with active directory)

domain name = yahoo.com, an internet hostname registered officially in dns

nfs domain = kludgy term for an understandably unliked file sharing protocol, nfs.

most larger environments which use nfs use nis for authentication, where users are authenticated against a centralized database (a la active directory). nfs validates users by their user id, which is just going to be a unique (static) number. joe will always be uid 1003, tom will always be uid 1004, etc. nfs validates via uids, so it thinks uid 1003 is joe, uid 1004 is tom, etc.

if somebody has administrative privileges on the unix system they're using, they can become any uid they want, effectively allowing them to pretend to be somebody else, access their files, etc. this is clearly a security nightmare.

the best solution i see would be to ask the admins on the other side to grant you ftp access to the files you need.
 
You must log in or register to reply here.
Top