samba and trust relationships

andrew morgan morgan at
Thu Sep 13 18:43:02 GMT 2001

Doh!  Actually it is "allow trusted domains = no", but your clue was
enough for me to find it.  I feel like a fool for not seeing that in the
docs, but I've been running samba for several years now and I don't
remember ever seeing that parameter.

I guess this parameter will become more important as people migrate to AD
and give up more control than they have in the past.


On Thu, 13 Sep 2001, MCCALL,DON (HP-USA,ex1) wrote:

> Hi Andrew,
> I think the smb.conf parameter "trusted domains=no" is what you are looking
> for.
> Hope this helps,
> Don
> -----Original Message-----
> From: andrew morgan [mailto:morgan at]
> Sent: Thursday, September 13, 2001 18:40
> To: samba-technical at
> Subject: samba and trust relationships
> We have been talking about setting up Active Directory across campus here
> at Oregon State University lately, so I wondered what impact that would
> have on our installations of samba.
> I setup a test samba server (v2.0.10) called PROTAGONIST, added the
> computer account to our test AD forest in a domain called MCC203DOM, and
> joined samba to the domain using "smbpasswd -j MCC203DOM".  All good.
> Here is my smb.conf file, very simple:
> [global]
>         netbios name = PROTAGONIST
>         security = domain
>         password server = *
>         encrypt passwords = true
>         guest account = nobody
>         domain master = no
>         local master = no
>         preferred master = no
>         os level = 0
>         debug level = 1
>         name resolve order = wins host
>         wide links = false
>         wins support = false
>         wins server =
>         workgroup = MCC203DOM
>         server string = Test Server
>         nt acl support = true
>         log file = /private/samba/var/log.smb
>         lock directory = /private/samba/var/locks
> [homes]
>         comment = Home Directories
>         browseable = false
>         read only = no
>         create mode = 0700
> Then I created a unix account on the samba server called "morgan" and an
> account in the AD domain MCC203DOM will the same username.  From my NT
> workstation, I was able to map a drive to \\protagonist\morgan using
> MCC203DOM\morgan as my username and the AD password.  All good.
> Then I asked myself, "What if I create a user called 'morgan' in another
> domain in AD?"  So I created a user called "morgan" in the same AD forest
> in the ITC1 domain.  To my surprise, I was able to connect to
> \\protagonist\morgan using ITC1\morgan as the username.  I assume the PDC
> for MCC203DOM is okaying ITC1\morgan because of the transitive trust
> relationships in AD.
> Then I asked myself, "What happens with trusts in NT domains with samba?"
> So I set up a two way trust between the ORST domain (in which we have a
> completely different samba server, same version, similar configuration)
> and the SCF domain.  Then I created a user in the SCF domain with the same
> name as a user in the ORST domain, and I was again able to see the home
> directory of a user in the ORST domain using the SCF domain account with
> the same name.
> My guess is that here is what samba is doing:
> 1. Get's domain\username and password from client
> 2. Since we are using pass-through auth, it passes those credentials on to
> a domain controller to validate
> 3. Domain controller sees that the domain specified belongs to one of it's
> trusted domains and passes the credentials to the trusted domain's domain
> controller
> 4. Trust domain's domain controller says, "Yep, that is correct" to the
> samba server's domain controller
> 5. Samba server's domain controller tells samba, "Yep, that is correct"
> 6. Samba server strips off the domain part of the username and checks that
> the base name exists in unix.
> Is this the expected behavior when samba is a member of a domain which
> trusts other domains?  Is there a way to only permit users of the same
> domain which the samba server is a member of to connect to the samba
> server
> In the past, I have only created one-way trusts with other domains, so
> that computers in those domains would allow users to login with their ORST
> username and access ORST resources on our samba server, but not the
> reverse.  It looks like I was wise (or lucky!) to do so.  This may not be
> a big deal in NT, where I have to explicitely trust the other NT domain
> (and therefore trust that the domain admin doesn't mess with me), but in
> Active Directory, I trust every domain in the forest!  I wish I could say
> that I can trust every domain admin in the forest...
> 	Andy

More information about the samba-technical mailing list