The problem: I need to be able for clients of Dom1 to place data onto the
filer
so that members of Dom2 can access the data and vice versa.
Ordinarily, users in one domain are not permitted to access resources in another domain unless there is a trust relationship betwixt the domains. This holds for any Windows NT resident resource (shares, printers etc...) as well as filer based resources. If you can not put the needed trust relationship in place (for whatever reason), your only option is to enable and use the so-called "anonymous access" provision which is provided within the Windows NT security model.
On a filer, this is quite simple (as ever! :-)). You just need to set the "cifs.guest_account" option to a valid user identity that is defined within the filer's /etc/passwd file (or the NIS passwd.byname equivalent thereof). So, for example, if you...
options cifs.guest_account dom2usrs
... then the CIFS users defined in Dom2 will be able to access the filer anonymously, and they will be mapped to the UNIX "dom2usrs" account (which in turn maps to a UNIX UID) for the puproses of assessing what they can and cannot do to the file system. More specifically, their "dom2usrs" identity will be used to assess what they can and cannot do to a UNIX-Style file system. On an NTFS-Style file system, they will be controlled by NTFS permissions, and their identity will, I believe, be defined as the Windows NT "AnonymousLogon" well known SID (S-1-5-7, if you care! :-)).
The shares that the users in Dom2 want to connect to, as well as the areas of the file system they wish to access will have to be somehow accessible to these accounts. This will usually mean manipulating file system permissions and share level ACLs to provide these users with the level of access they need. Unfortunately you do not have the option to control these users access individually.
Keith
-
Keith Brown