Interdomain trust

Andrej Borsenkow borsenkow.msk at
Mon Dec 14 13:52:26 GMT 1998

I did a clean test once more. The whole story looks ehh trivial :-) I have
now one clean trace of what happens when trust is established and the second
one of what happens when connection is verified.

  - adding trust (trusting domain A, trusted domain B)

On trusted domain account for trusting domain is created manually (User
manager/trust/add trusting domain). For domain A account is A$ (the same as
for a WS with the only difference, that WS has well defined initial pasword)

When you add trusted domain (User Manager/trust/add trusted domain), it
first sends NETLOGON Query for PDC to B<1B> host. The next step is SS&X with
name A$ (account for trusting domain). I presume, it expects
exists?). The next is wkssvc QUERY_INFO. The next lsarpc QUERY_INFOPOLICY to
get SID (well, it does it two times - dunno why). The last step is SAMLOGON
request to B<1C> with bit "interdomain trust" on and _SID_ ! I think, it is
the trusted domain SID ...

It does not even change password!!

  - verify user

When NT gets SS&X with trusted domain, it first sends SAMLOGON with trusted
domain and SID to B<1C> Then it simply does pass-through authentication in
exactly the same way as we do already in SAMBA, with the only difference,
that trusted domain account is being used.

That said, making SAMBA _trusted_ domain is trivial. It amounts to creating
account for trusting domain ... smbpasswd -t? and nmbd accessing SID and
user database :-)

Making SAMBA trusting domain needs some sort of database ... something like
$(privatedir)/trust directory with DOMAIN.mac files for every trusted
domain. And 'course, smbd should be able to send SAMLOGON and receive
replies ...


More information about the samba-technical mailing list