samba and trust relationships
MCCALL,DON (HP-USA,ex1)
don_mccall at hp.com
Thu Sep 13 17:30:02 GMT 2001
Hi Andrew,
I think the smb.conf parameter "trusted domains=no" is what you are looking
for.
Hope this helps,
Don
-----Original Message-----
From: andrew morgan [mailto:morgan at orst.edu]
Sent: Thursday, September 13, 2001 18:40
To: samba-technical at samba.org
Subject: samba and trust relationships
We have been talking about setting up Active Directory across campus here
at Oregon State University lately, so I wondered what impact that would
have on our installations of samba.
I setup a test samba server (v2.0.10) called PROTAGONIST, added the
computer account to our test AD forest in a domain called MCC203DOM, and
joined samba to the domain using "smbpasswd -j MCC203DOM". All good.
Here is my smb.conf file, very simple:
[global]
netbios name = PROTAGONIST
security = domain
password server = *
encrypt passwords = true
guest account = nobody
domain master = no
local master = no
preferred master = no
os level = 0
debug level = 1
name resolve order = wins host
wide links = false
wins support = false
wins server = 128.193.4.45
workgroup = MCC203DOM
server string = Test Server
nt acl support = true
log file = /private/samba/var/log.smb
lock directory = /private/samba/var/locks
[homes]
comment = Home Directories
browseable = false
read only = no
create mode = 0700
Then I created a unix account on the samba server called "morgan" and an
account in the AD domain MCC203DOM will the same username. From my NT
workstation, I was able to map a drive to \\protagonist\morgan using
MCC203DOM\morgan as my username and the AD password. All good.
Then I asked myself, "What if I create a user called 'morgan' in another
domain in AD?" So I created a user called "morgan" in the same AD forest
in the ITC1 domain. To my surprise, I was able to connect to
\\protagonist\morgan using ITC1\morgan as the username. I assume the PDC
for MCC203DOM is okaying ITC1\morgan because of the transitive trust
relationships in AD.
Then I asked myself, "What happens with trusts in NT domains with samba?"
So I set up a two way trust between the ORST domain (in which we have a
completely different samba server, same version, similar configuration)
and the SCF domain. Then I created a user in the SCF domain with the same
name as a user in the ORST domain, and I was again able to see the home
directory of a user in the ORST domain using the SCF domain account with
the same name.
My guess is that here is what samba is doing:
1. Get's domain\username and password from client
2. Since we are using pass-through auth, it passes those credentials on to
a domain controller to validate
3. Domain controller sees that the domain specified belongs to one of it's
trusted domains and passes the credentials to the trusted domain's domain
controller
4. Trust domain's domain controller says, "Yep, that is correct" to the
samba server's domain controller
5. Samba server's domain controller tells samba, "Yep, that is correct"
6. Samba server strips off the domain part of the username and checks that
the base name exists in unix.
Is this the expected behavior when samba is a member of a domain which
trusts other domains? Is there a way to only permit users of the same
domain which the samba server is a member of to connect to the samba
server
In the past, I have only created one-way trusts with other domains, so
that computers in those domains would allow users to login with their ORST
username and access ORST resources on our samba server, but not the
reverse. It looks like I was wise (or lucky!) to do so. This may not be
a big deal in NT, where I have to explicitely trust the other NT domain
(and therefore trust that the domain admin doesn't mess with me), but in
Active Directory, I trust every domain in the forest! I wish I could say
that I can trust every domain admin in the forest...
Andy
More information about the samba-technical
mailing list