[cifs-protocol] Re: [Pfif] Relationship between trusted domain
object
Andrew Bartlett
abartlet at samba.org
Thu Jul 31 06:53:51 GMT 2008
On Thu, 2008-07-31 at 08:46 +0200, Stefan (metze) Metzmacher wrote:
> Andrew Bartlett schrieb:
> > I am requesting correction assistance regarding trusted domain objects:
> >
> > What is the relationship between the trusted domain object under
> > cn=users,... and that under cn=system,...?
> >
> > The documentation in MS-ADTS 7.1.6 does not seen to cover the 'user'
> > type objects. How and when are the passwords updated in both objects,
> > and what linkage is made between the two objects (I would have expected
> > a DN forward and reverse link, such as between the computer account and
> > it's entry in cn=configuration)
>
> I assume the one in cn=otherdomain1,cn=users, is the trust account, if
> your domain trusts 'otherdomain1'. It matches what samba3 has in it's
> passdb.
>
> And cn=otherdomain2, cn=system, holds information you need to contact
> 'otherdomain2', which itself trusts your domain. It matches what
> samba3 has in the secrets.tdb.
>
> I'm not 100% if this is correct...
This is what I always assumed, but then the cn=system account has (and
the documentation goes to great lengths to explain) trustAuthIncoming
and trustAuthOutgoing, which implies that the CN=system holds the full
details - except then what is the cn=users account for?
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080731/db68d5f3/attachment.bin
More information about the cifs-protocol
mailing list