Authentication through Transitive Trusts

Ken Cross kcross at nssolutions.com
Wed Apr 2 20:36:55 GMT 2003


All operations are working correctly, including user/group mapping,
user/group listings, authentication, etc.  

And everything works fine for domains listed in wbinfo -m.  The only
problem comes when trying to authenticate against a sibling in the
forest (KAMA vs. CAMP in my example).  These are transitive trusts are
don't get listed in wbinfo -m.

I was mainly looking to see if anybody else has done this successfully
in similar configurations.

Ken
________________________________

Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com 

> -----Original Message-----
> From: 
> samba-technical-bounces+kcross=nssolutions.com at lists.samba.org
>  
> [mailto:samba-technical-bounces+kcross=nssolutions.com at lists.s
> amba.org] On Behalf Of Rafal Szczesniak
> Sent: Wednesday, April 02, 2003 3:27 PM
> To: Ken Cross
> Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: Re: Authentication through Transitive Trusts
> 
> 
> On Tue, Apr 01, 2003 at 10:45:07AM -0500, Ken Cross wrote:
> > Samba-folk:
> > 
> > I have an Active Directory with SUPTRA at the top and 2 other AD 
> > servers, KAMA and CAMP.
> > 
> > If Samba joins KAMA, it can authenticate against KAMA 
> and/or SUPTRA, 
> > but not CAMP.  wbinfo -u shows users from all 3 servers, 
> but wbinfo -m 
> > only shows SUPTRA.
> > 
> > KAMA and CAMP have an implicit transitive trust, but I 
> can't seem to 
> > get Samba to use it.  The authentication request is sent to 
> KAMA, but 
> > it gets NT_STATUS_NO_SUCH_USER.  (Same results if it joins CAMP and 
> > tries to authenticate against KAMA.)
> 
> Sounds like winbind doesn't map to unix uid, correctly or 
> your ads domain join didn't work. You use winbind, don't you ?
> 
> > Is there some trick to using transitive trusts (SAMBA_3_0)?
> 
> Nope. Just make sure you have 'allow trusted domains = yes'. 
> It's set this way by default.
> 
> 
> cheers,
> -- 
>  Rafal Szczesniak      mimir[at]diament.ists.pwr.wroc.pl
>  Samba Team member     mimir[at]samba.org
> +---------------------------------------------------------+
>  *BSD, GNU/Linux and Samba          http://www.samba.org
> +---------------------------------------------------------+
> 



More information about the samba-technical mailing list