Interdomain trust

Luke Kenneth Casson Leighton lkcl at switchboard.net
Mon Dec 14 18:10:21 GMT 1998 

On Tue, 15 Dec 1998, Andrej Borsenkow wrote:

> I did a clean test once more. The whole story looks ehh trivial :-) I have
> now one clean trace of what happens when trust is established and the second
> one of what happens when connection is verified.

goodie.
 
>   - adding trust (trusting domain A, trusted domain B)
> 
> On trusted domain account for trusting domain is created manually (User
> manager/trust/add trusting domain). For domain A account is A$ (the same as
> for a WS with the only difference, that WS has well defined initial pasword)
> 
> When you add trusted domain (User Manager/trust/add trusted domain), it
> first sends NETLOGON Query for PDC to B<1B> host. The next step is SS&X with
> name A$ (account for trusting domain). I presume, it expects
> STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT status (verifies, that account
> exists?).

yep.

> The next is wkssvc QUERY_INFO. The next lsarpc QUERY_INFOPOLICY to
> get SID (well, it does it two times - dunno why).

different info levels.  level 3 (domain member SID) level 5 (SAM database
SID).

> The last step is SAMLOGON
> request to B<1C> with bit "interdomain trust" on and _SID_ ! I think, it is
> the trusted domain SID ...
> 
> It does not even change password!!

oh dear.  try it again, next week :-)

smbclient //nt_srv/ipc$ -U "TRUST_DOMAIN_NAME\$"

and see if the password you used is accepted (i.e STATUS_NOLOGON....)

>   - verify user
> 
> When NT gets SS&X with trusted domain, it first sends SAMLOGON with trusted
> domain and SID to B<1C> Then it simply does pass-through authentication in
> exactly the same way as we do already in SAMBA, with the only difference,
> that trusted domain account is being used.
> 
> That said, making SAMBA _trusted_ domain is trivial. It amounts to creating
> account for trusting domain ... smbpasswd -t? and nmbd accessing SID and
> user database :-)

yep!
 
> Making SAMBA trusting domain needs some sort of database ... something like
> $(privatedir)/trust directory with DOMAIN.mac files for every trusted
> domain. And 'course, smbd should be able to send SAMLOGON and receive
> replies ...

yep!

in addition:

- support \DOMAIN_NAME\user in map files

- add LsaLookupNames and LsaLookupSids calls to lib/domain_namemap.c

- add a list of DOMAIN_NAME + DOMAIN_SID code in lib/sids.c for the
map_domain_name_to_sid() functions.

- extend lookup_sids() and lookup_names() so that rpc_server/rpc_lsarpc.c,
which support LsaLookupNames and LsaLookupSids can respond correctly to
trusted domain accounts

about a week's work, basically.

More information about the samba-technical mailing list