[cifs-protocol] Case created: [Pfif] Relationship between trusted domain object

Bill Wesse billwe at microsoft.com
Thu Jul 31 08:52:30 GMT 2008

Good morning Andrew (and Stefan)!

I have created a new case (SRX080731600024) for your questions; one of our team will take ownership of this shortly, and will contact you concerning same.

Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  980-776-8200
CELL: 704-661-5438
FAX:  704-665-9606
We're Hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Thursday, July 31, 2008 2:54 AM
To: Stefan (metze) Metzmacher
Cc: Interoperability Documentation Help; pfif at tridgell.net; cifs-protocol at samba.org
Subject: Re: [Pfif] Relationship between trusted domain object

On Thu, 2008-07-31 at 08:46 +0200, Stefan (metze) Metzmacher wrote:
> Andrew Bartlett schrieb:
> > I am requesting correction assistance regarding trusted domain objects:
> >
> > What is the relationship between the trusted domain object under
> > cn=users,... and that under cn=system,...?
> >
> > The documentation in MS-ADTS 7.1.6 does not seen to cover the 'user'
> > type objects.  How and when are the passwords updated in both
> > objects, and what linkage is made between the two objects (I would
> > have expected a DN forward and reverse link, such as between the
> > computer account and it's entry in cn=configuration)
> I assume the one in cn=otherdomain1,cn=users, is the trust account, if
> your domain trusts 'otherdomain1'. It matches what samba3 has in it's
> passdb.
> And cn=otherdomain2, cn=system, holds information you need to contact
> 'otherdomain2', which itself trusts your domain. It matches what
> samba3 has in the secrets.tdb.
> I'm not 100% if this is correct...

This is what I always assumed, but then the cn=system account has (and the documentation goes to great lengths to explain) trustAuthIncoming and trustAuthOutgoing, which implies that the CN=system holds the full details - except then what is the cn=users account for?

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list