Authentication through transitive trusts

Chere Zhou qzhou at isilon.com
Thu Jul 17 21:51:39 GMT 2003 

I just checked with my 3.0alpha21 installation.  I have samba joined a.com, 
and there are b.a.com and c.b.a.com.  There is a sequence number for 
c.b.a.com, and wbinfo -u lists c.b.a.com users too.   I can also connect to 
samba box as a user in c.b.a.com.   Something in the current code that broke 
it?    I do not have across root trusts right now to test with though.


On Thursday 17 July 2003 02:18 pm, Ken Cross wrote:
> I think they're the same issue.
>
> No, you don't see the sequence numbers for any except the parent or child.
> No, you can't authenticate to anything except the parent or child.
>
> Ken
> ________________________________
>
> Ken Cross
>
> Network Storage Solutions
> Phone 865.675.4070 ext 31
> kcross at nssolutions.com
>
> > -----Original Message-----
> > From: Marc Kaplan [mailto:MKaplan at snapappliance.com]
> > Sent: Thursday, July 17, 2003 5:15 PM
> > To: 'Ken Cross'; 'Multiple recipients of list SAMBA-TECHNICAL'
> > Subject: RE: Authentication through transitive trusts
> >
> >
> > Ken,
> >
> > So if you have:
> > a.test
> > 	b.a.test
> > 		c.b.a.test
> >
> > And you join c.b.a.test do you get a sequence number from
> > a.test? I just want to find out if we're talking about the
> > same thing(My issue is before a client can even try to
> > authenticate -- we don't get the users/groups).
> >
> > It sounds to me like your issue is authentication, which is a
> > step after mine...
> >
> > 			-Marc
> >
> > > -----Original Message-----
> > > From: Ken Cross [mailto:kcross at nssolutions.com]
> > > Sent: Thursday, July 17, 2003 2:10 PM
> > > To: Marc Kaplan; 'Multiple recipients of list SAMBA-TECHNICAL'
> > > Subject: RE: Authentication through transitive trusts
> > >
> > >
> > > You're right, of course, about the "need" for
> >
> > Resource/Authentication
> >
> > > domains in AD.  That's a holdover from NT domains, but they
> >
> > are still
> >
> > > very common.
> > >
> > > A parent-child trust works OK, but a parent-grandchild
> >
> > trust doesn't.
> >
> > > Anywhere that it isn't a direct parent-child connection
> >
> > seems to fail.
> >
> > > Ken
> > > ________________________________
> > >
> > > Ken Cross
> > >
> > > Network Storage Solutions
> > > Phone 865.675.4070 ext 31
> > > kcross at nssolutions.com
> > >
> > > > -----Original Message-----
> > > > From: Marc Kaplan [mailto:MKaplan at snapappliance.com]
> > > > Sent: Thursday, July 17, 2003 5:06 PM
> > > > To: 'Ken Cross'; 'Multiple recipients of list SAMBA-TECHNICAL'
> > > > Subject: RE: Authentication through transitive trusts
> > > >
> > > > Ken wrote:
> > > > > This is a Big Deal for using Samba in enterprise systems.
> > > > > Transitive trusts relieve the admin of having to
> >
> > maintain tons of
> >
> > > > > trust relationships.  But
> > > > > Samba can't use them, which makes it much tougher to
> > > > > integrate into a large
> > > > > AD forest.  This is especially true where file servers (e.g.,
> > > > > Samba) are
> > > > > typically placed in Resource domains and expected to use
> > > > > Authentication
> > > > > domains for authenticating users connecting to shares.
> > > >
> > > > Does anybody use the concept of resource domains vs.
> > > > authentication domains in an Active Directory environment? I
> > > > thought AD obviated the need for that since the Active
> > > > Directory can scale much more than the NT4 SAM could.
> > > >
> > > > That said, I have been having similar problems to Ken.
> > > > Especially if I have a tree-root transitive trusts i.e.
> > > > (a-test.dom b-test.dom and c-test.dom). a-test.dom is the
> > > > operations master for everything (RID allocation, PDC
> > > > Emulator, and Infrastructure). If samba joins a-test.dom
> > > > clients from all domains can authenticate to a-test.dom. If a
> > > > Samba box joins b-test.dom than it will not be able to lookup
> > > > sequence for c-test.dom.
> > > >
> > > > So the problem I've seen (though it's been a while since I've
> > > > worked on
> > > > this) is that tree-root transitive trusts have a problem, but
> > > > parent-child trusts work fine.
> > > >
> > > > 				-Marc
> > > >
> > > > > -----Original Message-----
> > > > > From: Ken Cross [mailto:kcross at nssolutions.com]
> > > > > Sent: Thursday, July 17, 2003 10:33 AM
> > > > > To: 'Multiple recipients of list SAMBA-TECHNICAL'
> > > > > Subject: RE: Authentication through transitive trusts
> > > > >
> > > > >
> > > > > Samba-folk:
> > > > >
> > > > > On further investigation, apparently Samba 3.0 cannot (and will
> > > > > not in the near future) be able to authenticate through
> >
> > transitive
> >
> > > trusts.  For
> > >
> > > > > example, in a simple AD forest:
> > > > >
> > > > >   PARENT
> > > > >
> > > > >     +-> CHILD1
> > > > >     +-> CHILD2
> > > > >
> > > > > If Samba joins PARENT, it can authenticate against any server.
> > > > > But if it joins CHILD1 or CHILD2, it cannot
> >
> > authenticate against
> >
> > > > > the other child,
> > > > > which is connected via a transitive trust.  You must set up
> > > > > an explicit
> > > > > trust between CHILD1 and CHILD2.
> > > > >
> > > > > The reason is simple: you need Kerberos authentication for
> > > >
> > > > it to work.
> > > >
> > > > > Samba doesn't use Kerberos for anything except its
> > >
> > > machine account,
> > >
> > > > > and I'm not aware of anything in the works to use
> > >
> > > Kerberos for user
> > >
> > > > > authentication.
> > > > >
> > > > > This is a Big Deal for using Samba in enterprise systems.
> > > > > Transitive trusts relieve the admin of having to
> >
> > maintain tons of
> >
> > > > > trust relationships.  But
> > > > > Samba can't use them, which makes it much tougher to
> > > > > integrate into a large
> > > > > AD forest.  This is especially true where file servers (e.g.,
> > > > > Samba) are
> > > > > typically placed in Resource domains and expected to use
> > > > > Authentication
> > > > > domains for authenticating users connecting to shares.
> > > > >
> > > > > This is as of SAMBA_3_0 Beta 3.
> > > > >
> > > > > I'm not bitching -- just making people aware.  (If I'm
> > >
> > > wrong, I'd be
> > >
> > > > > *delighted* -- please correct me!)
> > > > >
> > > > > Thanks,
> > > > > Ken
> > > > > ________________________________
> > > > >
> > > > > Ken Cross
> > > > >
> > > > > Network Storage Solutions
> > > > > Phone 865.675.4070 ext 31
> > > > > kcross at nssolutions.com

More information about the samba-technical mailing list