samba and trust relationships

MCCALL,DON (HP-USA,ex1) don_mccall at
Thu Sep 13 17:30:02 GMT 2001

Hi Andrew,
I think the smb.conf parameter "trusted domains=no" is what you are looking
Hope this helps,
-----Original Message-----
From: andrew morgan [mailto:morgan at]
Sent: Thursday, September 13, 2001 18:40
To: samba-technical at
Subject: samba and trust relationships

We have been talking about setting up Active Directory across campus here
at Oregon State University lately, so I wondered what impact that would
have on our installations of samba.

I setup a test samba server (v2.0.10) called PROTAGONIST, added the
computer account to our test AD forest in a domain called MCC203DOM, and
joined samba to the domain using "smbpasswd -j MCC203DOM".  All good.
Here is my smb.conf file, very simple:

        netbios name = PROTAGONIST
        security = domain
        password server = *
        encrypt passwords = true
        guest account = nobody
        domain master = no
        local master = no
        preferred master = no
        os level = 0
        debug level = 1
        name resolve order = wins host
        wide links = false
        wins support = false
        wins server =
        workgroup = MCC203DOM
        server string = Test Server
        nt acl support = true
        log file = /private/samba/var/log.smb
        lock directory = /private/samba/var/locks

        comment = Home Directories
        browseable = false
        read only = no
        create mode = 0700

Then I created a unix account on the samba server called "morgan" and an
account in the AD domain MCC203DOM will the same username.  From my NT
workstation, I was able to map a drive to \\protagonist\morgan using
MCC203DOM\morgan as my username and the AD password.  All good.

Then I asked myself, "What if I create a user called 'morgan' in another
domain in AD?"  So I created a user called "morgan" in the same AD forest
in the ITC1 domain.  To my surprise, I was able to connect to
\\protagonist\morgan using ITC1\morgan as the username.  I assume the PDC
for MCC203DOM is okaying ITC1\morgan because of the transitive trust
relationships in AD.

Then I asked myself, "What happens with trusts in NT domains with samba?"
So I set up a two way trust between the ORST domain (in which we have a
completely different samba server, same version, similar configuration)
and the SCF domain.  Then I created a user in the SCF domain with the same
name as a user in the ORST domain, and I was again able to see the home
directory of a user in the ORST domain using the SCF domain account with
the same name.

My guess is that here is what samba is doing:

1. Get's domain\username and password from client
2. Since we are using pass-through auth, it passes those credentials on to
a domain controller to validate
3. Domain controller sees that the domain specified belongs to one of it's
trusted domains and passes the credentials to the trusted domain's domain
4. Trust domain's domain controller says, "Yep, that is correct" to the
samba server's domain controller
5. Samba server's domain controller tells samba, "Yep, that is correct"
6. Samba server strips off the domain part of the username and checks that
the base name exists in unix.

Is this the expected behavior when samba is a member of a domain which
trusts other domains?  Is there a way to only permit users of the same
domain which the samba server is a member of to connect to the samba

In the past, I have only created one-way trusts with other domains, so
that computers in those domains would allow users to login with their ORST
username and access ORST resources on our samba server, but not the
reverse.  It looks like I was wise (or lucky!) to do so.  This may not be
a big deal in NT, where I have to explicitely trust the other NT domain
(and therefore trust that the domain admin doesn't mess with me), but in
Active Directory, I trust every domain in the forest!  I wish I could say
that I can trust every domain admin in the forest...


More information about the samba-technical mailing list