Inter-Domain Trust Relationships.

Luke Kenneth Casson Leighton lkcl at
Sat Nov 20 22:57:46 GMT 1999

another bit of the puzzle.

1) download / compile latest cvs.  make sure "LMCompatibilityLevel=0x0" on
all trust PDCs.  sorry, can't do NTLMv2 yet: will work on it.

2) put "trusted domains = "TRUST_DOMAIN_NAME=trust_pdc1, trust_bdc2, ..."
"TRUST_DOMAIN_NAME2=trust2_pdc1, trust2_pdc2, ..."

3) for each domain:

Password: type in trusting domain password

3b) go to USRMGR.EXE, go to "Trusted Domains" box, type in SAMBA_DOMAIN
and same password typed in at step 3a).

watch what happens (screen explodes?)

the authentication steps are correct, as best i can tell.  this allows
samba to verify user accounts from trusted domains, similar to "security =

_however_... the file permissions are going to be a bit screwed, as i
haven't added code to map TRUSTED_DOMAIN\remote_user on to unix users,
yet, i.e i need to modify lib/domain_namemap.c to take this into account.
at present, i actually don't know what would happen :-)  let's see... ok,
well i'm in :-)  i happen to have a unix account called administrator, so
samba let me in from the auth against the trusted domain controller, then
file access worked against the unix account, which was the _trusted_
domain username _without_ the domain name on it.  so that's where
lib/domainnamemap.c comes in (maps TRUST_DOMAIN\remote_user to

next is the _trusting_ domains, to allow NT inter-domain users to log in
to a samba pdc.  shouldn't be too hard.


<a href="mailto:lkcl at"   > Luke Kenneth Casson Leighton    </a>
<a href=""> Samba and Network Development   </a>
<a href=""        > Samba Web site                  </a>
<a href=""      > Internet Security Systems, Inc. </a>

More information about the samba-ntdom mailing list