Authentication through Transitive Trusts

Ken Cross kcross at nssolutions.com
Wed Apr 2 21:39:15 GMT 2003 

Thanks, Marc -- glad to see I'm not totally nuts.  :)

The only problem with the explicit trust solution is that the customer
has dozens (hundreds?) of AD servers, and we don't want to get into the
Complete Trust nightmare of the NT days.

Hope Tridge hears you... :)

Ken
________________________________

Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com 

> -----Original Message-----
> From: Marc Kaplan [mailto:MKaplan at snapappliance.com] 
> Sent: Wednesday, April 02, 2003 4:26 PM
> To: Marc Kaplan; 'Ken Cross'; 'Rafal Szczesniak'; 'tridge at samba.org'
> Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: RE: Authentication through Transitive Trusts
> 
> 
> Whops, I drew the tree wrong, it really looks like this
> 
> b.domain<---------->a.domain<----------->c.domain
> 
> Also, not that it's a fix for this issue, there is a viable 
> workaround,
> which is to establish a cross link trust and make the implicit trust
> explicit. So the above, becomes this:
> 
> b.domain<---------->a.domain<----------->c.domain
> |							    |
> |--------------Cross Link Trust---------------|
> 
> 				-Marc
> -----Original Message-----
> From: Marc Kaplan [mailto:MKaplan at snapappliance.com]
> Sent: Wednesday, April 02, 2003 1:18 PM
> To: 'Ken Cross'; 'Rafal Szczesniak'; 'tridge at samba.org'
> Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: RE: Authentication through Transitive Trusts
> 
> 
> Ken,
> 
> I have the following configuration:
> 
> a.domain<---------->b.domain<----------->c.domain
> 
> a.domain is the root of this tree, and there are tree-root 
> trusts (in AD
> parlance) between these domains. If I join a.domain, I can 
> successfully
> authenticate from b.domain and c.domain. However, if I join c.domain I
> b.domain lists DISCONNECTED in a wbinfo --sequence. Same goes 
> for joining
> c.domain -- I get DISCONNECTED to b.domain. 
> 
> The following situation, however, seems to work fine for me (I hope my
> drawing shows up correctly)
> 
> 	          top.dom
> 			 ^
> 			 |
> 			 |
> 			 V
> child1.top.dom<--------------->child2.top.dom
> 
> I have successful authentication between all of the domains in this AD
> structure.
> 
> The problem with a.domain, b.domain and c.domain, Tridge 
> looked at when he
> was working at Snap and he traced it to a problem in the MIT 
> kerberos code
> assuming a child-parent trust when the trusts were really 
> tree-root trusts. 
> 
> Originally, I was getting the problem you're seeing, that 
> transitive trusts
> could not be discovered in wbinfo -m (or wbinfo --sequence), 
> but Tridge
> fixed that at least for our code base. Maybe it has not been merged to
> samba.org. Tridge?
> 
> 
> 			-Marc
> 
> 
> 
> -----Original Message-----
> From: Ken Cross [mailto:kcross at nssolutions.com]
> Sent: Wednesday, April 02, 2003 12:37 PM
> To: 'Rafal Szczesniak'
> Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: RE: Authentication through Transitive Trusts
> 
> 
> All operations are working correctly, including user/group mapping,
> user/group listings, authentication, etc.  
> 
> And everything works fine for domains listed in wbinfo -m.  The only
> problem comes when trying to authenticate against a sibling in the
> forest (KAMA vs. CAMP in my example).  These are transitive trusts are
> don't get listed in wbinfo -m.
> 
> I was mainly looking to see if anybody else has done this successfully
> in similar configurations.
> 
> Ken
> ________________________________
> 
> Ken Cross
> 
> Network Storage Solutions
> Phone 865.675.4070 ext 31
> kcross at nssolutions.com 
> 
> > -----Original Message-----
> > From: 
> > samba-technical-bounces+kcross=nssolutions.com at lists.samba.org
> >  
> > [mailto:samba-technical-bounces+kcross=nssolutions.com at lists.s
> > amba.org] On Behalf Of Rafal Szczesniak
> > Sent: Wednesday, April 02, 2003 3:27 PM
> > To: Ken Cross
> > Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> > Subject: Re: Authentication through Transitive Trusts
> > 
> > 
> > On Tue, Apr 01, 2003 at 10:45:07AM -0500, Ken Cross wrote:
> > > Samba-folk:
> > > 
> > > I have an Active Directory with SUPTRA at the top and 2 other AD 
> > > servers, KAMA and CAMP.
> > > 
> > > If Samba joins KAMA, it can authenticate against KAMA 
> > and/or SUPTRA, 
> > > but not CAMP.  wbinfo -u shows users from all 3 servers, 
> > but wbinfo -m 
> > > only shows SUPTRA.
> > > 
> > > KAMA and CAMP have an implicit transitive trust, but I 
> > can't seem to 
> > > get Samba to use it.  The authentication request is sent to 
> > KAMA, but 
> > > it gets NT_STATUS_NO_SUCH_USER.  (Same results if it 
> joins CAMP and 
> > > tries to authenticate against KAMA.)
> > 
> > Sounds like winbind doesn't map to unix uid, correctly or 
> > your ads domain join didn't work. You use winbind, don't you ?
> > 
> > > Is there some trick to using transitive trusts (SAMBA_3_0)?
> > 
> > Nope. Just make sure you have 'allow trusted domains = yes'. 
> > It's set this way by default.
> > 
> > 
> > cheers,
> > -- 
> >  Rafal Szczesniak      mimir[at]diament.ists.pwr.wroc.pl
> >  Samba Team member     mimir[at]samba.org
> > +---------------------------------------------------------+
> >  *BSD, GNU/Linux and Samba          http://www.samba.org
> > +---------------------------------------------------------+
> > 
>

More information about the samba-technical mailing list