Inter-Domain Trust Relationships.

Greg Dickie greg at discreet.com
Mon Nov 22 21:04:55 GMT 1999 

Hey Luke,

 If you are looking for more stuff to do I have a couple of ideas:

1) change the attributes of a service with rpcclient (eg: username)
2) Add functionality (a la at) to interact with the task scheduler service to
add jobs etc.

Note that I have no idea whether these are possible but they would be awfully
convenient for some stuff I'm trying to do at the moment.

Thanks,

Trying Win2k as I type,
Greg

On 20-Nov-99 Luke Kenneth Casson Leighton wrote:
> another bit of the puzzle.
> 
> 1) download / compile latest cvs.  make sure "LMCompatibilityLevel=0x0" on
> all trust PDCs.  sorry, can't do NTLMv2 yet: will work on it.
> 
> 2) put "trusted domains = "TRUST_DOMAIN_NAME=trust_pdc1, trust_bdc2, ..."
> "TRUST_DOMAIN_NAME2=trust2_pdc1, trust2_pdc2, ..."
> 
> 3) for each domain:
> 
> 3a) smbpasswd -j TRUST_DOMAIN_NAME -i TRUST_DOMAIN_NAME
> Password: type in trusting domain password
> 
> 3b) go to USRMGR.EXE, go to "Trusted Domains" box, type in SAMBA_DOMAIN
> and same password typed in at step 3a).
> 
> watch what happens (screen explodes?)
> 
> the authentication steps are correct, as best i can tell.  this allows
> samba to verify user accounts from trusted domains, similar to "security =
> domain".
> 
> _however_... the file permissions are going to be a bit screwed, as i
> haven't added code to map TRUSTED_DOMAIN\remote_user on to unix users,
> yet, i.e i need to modify lib/domain_namemap.c to take this into account.
> at present, i actually don't know what would happen :-)  let's see... ok,
> well i'm in :-)  i happen to have a unix account called administrator, so
> samba let me in from the auth against the trusted domain controller, then
> file access worked against the unix account, which was the _trusted_
> domain username _without_ the domain name on it.  so that's where
> lib/domainnamemap.c comes in (maps TRUST_DOMAIN\remote_user to
> some-specified-unix-username).
> 
> next is the _trusting_ domains, to allow NT inter-domain users to log in
> to a samba pdc.  shouldn't be too hard.
> 
> luke
> 
> <a href="mailto:lkcl at samba.org"   > Luke Kenneth Casson Leighton    </a>
> <a href="http://www.cb1.com/~lkcl"> Samba and Network Development   </a>
> <a href="http://samba.org"        > Samba Web site                  </a>
> <a href="http://www.iss.net"      > Internet Security Systems, Inc. </a>
> 

---------------------------------------------------------------------
Greg Dickie
Just A Guy*
*from discreet (the logic is gone)
Montreal 
(514) 954-7171
greg at discreet.com

More information about the samba-ntdom mailing list