samba and trust relationships

andrew morgan morgan at orst.edu
Thu Sep 13 18:43:02 GMT 2001 

Doh!  Actually it is "allow trusted domains = no", but your clue was
enough for me to find it.  I feel like a fool for not seeing that in the
docs, but I've been running samba for several years now and I don't
remember ever seeing that parameter.

I guess this parameter will become more important as people migrate to AD
and give up more control than they have in the past.

Thanks,
	Andy

On Thu, 13 Sep 2001, MCCALL,DON (HP-USA,ex1) wrote:

>
> Hi Andrew,
> I think the smb.conf parameter "trusted domains=no" is what you are looking
> for.
> Hope this helps,
> Don
> -----Original Message-----
> From: andrew morgan [mailto:morgan at orst.edu]
> Sent: Thursday, September 13, 2001 18:40
> To: samba-technical at samba.org
> Subject: samba and trust relationships
>
>
>
> We have been talking about setting up Active Directory across campus here
> at Oregon State University lately, so I wondered what impact that would
> have on our installations of samba.
>
> I setup a test samba server (v2.0.10) called PROTAGONIST, added the
> computer account to our test AD forest in a domain called MCC203DOM, and
> joined samba to the domain using "smbpasswd -j MCC203DOM".  All good.
> Here is my smb.conf file, very simple:
>
> [global]
>         netbios name = PROTAGONIST
>         security = domain
>         password server = *
>         encrypt passwords = true
>         guest account = nobody
>         domain master = no
>         local master = no
>         preferred master = no
>         os level = 0
>         debug level = 1
>         name resolve order = wins host
>         wide links = false
>         wins support = false
>         wins server = 128.193.4.45
>         workgroup = MCC203DOM
>         server string = Test Server
>         nt acl support = true
>         log file = /private/samba/var/log.smb
>         lock directory = /private/samba/var/locks
>
> [homes]
>         comment = Home Directories
>         browseable = false
>         read only = no
>         create mode = 0700
>
>
> Then I created a unix account on the samba server called "morgan" and an
> account in the AD domain MCC203DOM will the same username.  From my NT
> workstation, I was able to map a drive to \\protagonist\morgan using
> MCC203DOM\morgan as my username and the AD password.  All good.
>
> Then I asked myself, "What if I create a user called 'morgan' in another
> domain in AD?"  So I created a user called "morgan" in the same AD forest
> in the ITC1 domain.  To my surprise, I was able to connect to
> \\protagonist\morgan using ITC1\morgan as the username.  I assume the PDC
> for MCC203DOM is okaying ITC1\morgan because of the transitive trust
> relationships in AD.
>
> Then I asked myself, "What happens with trusts in NT domains with samba?"
> So I set up a two way trust between the ORST domain (in which we have a
> completely different samba server, same version, similar configuration)
> and the SCF domain.  Then I created a user in the SCF domain with the same
> name as a user in the ORST domain, and I was again able to see the home
> directory of a user in the ORST domain using the SCF domain account with
> the same name.
>
> My guess is that here is what samba is doing:
>
> 1. Get's domain\username and password from client
> 2. Since we are using pass-through auth, it passes those credentials on to
> a domain controller to validate
> 3. Domain controller sees that the domain specified belongs to one of it's
> trusted domains and passes the credentials to the trusted domain's domain
> controller
> 4. Trust domain's domain controller says, "Yep, that is correct" to the
> samba server's domain controller
> 5. Samba server's domain controller tells samba, "Yep, that is correct"
> 6. Samba server strips off the domain part of the username and checks that
> the base name exists in unix.
>
> Is this the expected behavior when samba is a member of a domain which
> trusts other domains?  Is there a way to only permit users of the same
> domain which the samba server is a member of to connect to the samba
> server
>
> In the past, I have only created one-way trusts with other domains, so
> that computers in those domains would allow users to login with their ORST
> username and access ORST resources on our samba server, but not the
> reverse.  It looks like I was wise (or lucky!) to do so.  This may not be
> a big deal in NT, where I have to explicitely trust the other NT domain
> (and therefore trust that the domain admin doesn't mess with me), but in
> Active Directory, I trust every domain in the forest!  I wish I could say
> that I can trust every domain admin in the forest...
>
> 	Andy
>
>

More information about the samba-technical mailing list