samba and trust relationships
morgan at orst.edu
Thu Sep 13 18:43:02 GMT 2001
Doh! Actually it is "allow trusted domains = no", but your clue was
enough for me to find it. I feel like a fool for not seeing that in the
docs, but I've been running samba for several years now and I don't
remember ever seeing that parameter.
I guess this parameter will become more important as people migrate to AD
and give up more control than they have in the past.
On Thu, 13 Sep 2001, MCCALL,DON (HP-USA,ex1) wrote:
> Hi Andrew,
> I think the smb.conf parameter "trusted domains=no" is what you are looking
> Hope this helps,
> -----Original Message-----
> From: andrew morgan [mailto:morgan at orst.edu]
> Sent: Thursday, September 13, 2001 18:40
> To: samba-technical at samba.org
> Subject: samba and trust relationships
> We have been talking about setting up Active Directory across campus here
> at Oregon State University lately, so I wondered what impact that would
> have on our installations of samba.
> I setup a test samba server (v2.0.10) called PROTAGONIST, added the
> computer account to our test AD forest in a domain called MCC203DOM, and
> joined samba to the domain using "smbpasswd -j MCC203DOM". All good.
> Here is my smb.conf file, very simple:
> netbios name = PROTAGONIST
> security = domain
> password server = *
> encrypt passwords = true
> guest account = nobody
> domain master = no
> local master = no
> preferred master = no
> os level = 0
> debug level = 1
> name resolve order = wins host
> wide links = false
> wins support = false
> wins server = 126.96.36.199
> workgroup = MCC203DOM
> server string = Test Server
> nt acl support = true
> log file = /private/samba/var/log.smb
> lock directory = /private/samba/var/locks
> comment = Home Directories
> browseable = false
> read only = no
> create mode = 0700
> Then I created a unix account on the samba server called "morgan" and an
> account in the AD domain MCC203DOM will the same username. From my NT
> workstation, I was able to map a drive to \\protagonist\morgan using
> MCC203DOM\morgan as my username and the AD password. All good.
> Then I asked myself, "What if I create a user called 'morgan' in another
> domain in AD?" So I created a user called "morgan" in the same AD forest
> in the ITC1 domain. To my surprise, I was able to connect to
> \\protagonist\morgan using ITC1\morgan as the username. I assume the PDC
> for MCC203DOM is okaying ITC1\morgan because of the transitive trust
> relationships in AD.
> Then I asked myself, "What happens with trusts in NT domains with samba?"
> So I set up a two way trust between the ORST domain (in which we have a
> completely different samba server, same version, similar configuration)
> and the SCF domain. Then I created a user in the SCF domain with the same
> name as a user in the ORST domain, and I was again able to see the home
> directory of a user in the ORST domain using the SCF domain account with
> the same name.
> My guess is that here is what samba is doing:
> 1. Get's domain\username and password from client
> 2. Since we are using pass-through auth, it passes those credentials on to
> a domain controller to validate
> 3. Domain controller sees that the domain specified belongs to one of it's
> trusted domains and passes the credentials to the trusted domain's domain
> 4. Trust domain's domain controller says, "Yep, that is correct" to the
> samba server's domain controller
> 5. Samba server's domain controller tells samba, "Yep, that is correct"
> 6. Samba server strips off the domain part of the username and checks that
> the base name exists in unix.
> Is this the expected behavior when samba is a member of a domain which
> trusts other domains? Is there a way to only permit users of the same
> domain which the samba server is a member of to connect to the samba
> In the past, I have only created one-way trusts with other domains, so
> that computers in those domains would allow users to login with their ORST
> username and access ORST resources on our samba server, but not the
> reverse. It looks like I was wise (or lucky!) to do so. This may not be
> a big deal in NT, where I have to explicitely trust the other NT domain
> (and therefore trust that the domain admin doesn't mess with me), but in
> Active Directory, I trust every domain in the forest! I wish I could say
> that I can trust every domain admin in the forest...
More information about the samba-technical