Inter-Domain Trust Relationships.
Luke Kenneth Casson Leighton
lkcl at samba.org
Sat Nov 20 22:57:46 GMT 1999
another bit of the puzzle.
1) download / compile latest cvs. make sure "LMCompatibilityLevel=0x0" on
all trust PDCs. sorry, can't do NTLMv2 yet: will work on it.
2) put "trusted domains = "TRUST_DOMAIN_NAME=trust_pdc1, trust_bdc2, ..."
"TRUST_DOMAIN_NAME2=trust2_pdc1, trust2_pdc2, ..."
3) for each domain:
3a) smbpasswd -j TRUST_DOMAIN_NAME -i TRUST_DOMAIN_NAME
Password: type in trusting domain password
3b) go to USRMGR.EXE, go to "Trusted Domains" box, type in SAMBA_DOMAIN
and same password typed in at step 3a).
watch what happens (screen explodes?)
the authentication steps are correct, as best i can tell. this allows
samba to verify user accounts from trusted domains, similar to "security =
domain".
_however_... the file permissions are going to be a bit screwed, as i
haven't added code to map TRUSTED_DOMAIN\remote_user on to unix users,
yet, i.e i need to modify lib/domain_namemap.c to take this into account.
at present, i actually don't know what would happen :-) let's see... ok,
well i'm in :-) i happen to have a unix account called administrator, so
samba let me in from the auth against the trusted domain controller, then
file access worked against the unix account, which was the _trusted_
domain username _without_ the domain name on it. so that's where
lib/domainnamemap.c comes in (maps TRUST_DOMAIN\remote_user to
some-specified-unix-username).
next is the _trusting_ domains, to allow NT inter-domain users to log in
to a samba pdc. shouldn't be too hard.
luke
<a href="mailto:lkcl at samba.org" > Luke Kenneth Casson Leighton </a>
<a href="http://www.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://samba.org" > Samba Web site </a>
<a href="http://www.iss.net" > Internet Security Systems, Inc. </a>
More information about the samba-technical
mailing list