Authentication through Transitive Trusts

Marc Kaplan MKaplan at
Wed Apr 2 21:25:43 GMT 2003

Whops, I drew the tree wrong, it really looks like this


Also, not that it's a fix for this issue, there is a viable workaround,
which is to establish a cross link trust and make the implicit trust
explicit. So the above, becomes this:

|							    |
|--------------Cross Link Trust---------------|

-----Original Message-----
From: Marc Kaplan [mailto:MKaplan at]
Sent: Wednesday, April 02, 2003 1:18 PM
To: 'Ken Cross'; 'Rafal Szczesniak'; 'tridge at'
Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
Subject: RE: Authentication through Transitive Trusts


I have the following configuration:


a.domain is the root of this tree, and there are tree-root trusts (in AD
parlance) between these domains. If I join a.domain, I can successfully
authenticate from b.domain and c.domain. However, if I join c.domain I
b.domain lists DISCONNECTED in a wbinfo --sequence. Same goes for joining
c.domain -- I get DISCONNECTED to b.domain. 

The following situation, however, seems to work fine for me (I hope my
drawing shows up correctly)


I have successful authentication between all of the domains in this AD

The problem with a.domain, b.domain and c.domain, Tridge looked at when he
was working at Snap and he traced it to a problem in the MIT kerberos code
assuming a child-parent trust when the trusts were really tree-root trusts. 

Originally, I was getting the problem you're seeing, that transitive trusts
could not be discovered in wbinfo -m (or wbinfo --sequence), but Tridge
fixed that at least for our code base. Maybe it has not been merged to Tridge?


-----Original Message-----
From: Ken Cross [mailto:kcross at]
Sent: Wednesday, April 02, 2003 12:37 PM
To: 'Rafal Szczesniak'
Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
Subject: RE: Authentication through Transitive Trusts

All operations are working correctly, including user/group mapping,
user/group listings, authentication, etc.  

And everything works fine for domains listed in wbinfo -m.  The only
problem comes when trying to authenticate against a sibling in the
forest (KAMA vs. CAMP in my example).  These are transitive trusts are
don't get listed in wbinfo -m.

I was mainly looking to see if anybody else has done this successfully
in similar configurations.


Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at 

> -----Original Message-----
> From: 
> at
> [ at lists.s
>] On Behalf Of Rafal Szczesniak
> Sent: Wednesday, April 02, 2003 3:27 PM
> To: Ken Cross
> Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: Re: Authentication through Transitive Trusts
> On Tue, Apr 01, 2003 at 10:45:07AM -0500, Ken Cross wrote:
> > Samba-folk:
> > 
> > I have an Active Directory with SUPTRA at the top and 2 other AD 
> > servers, KAMA and CAMP.
> > 
> > If Samba joins KAMA, it can authenticate against KAMA 
> and/or SUPTRA, 
> > but not CAMP.  wbinfo -u shows users from all 3 servers, 
> but wbinfo -m 
> > only shows SUPTRA.
> > 
> > KAMA and CAMP have an implicit transitive trust, but I 
> can't seem to 
> > get Samba to use it.  The authentication request is sent to 
> KAMA, but 
> > it gets NT_STATUS_NO_SUCH_USER.  (Same results if it joins CAMP and 
> > tries to authenticate against KAMA.)
> Sounds like winbind doesn't map to unix uid, correctly or 
> your ads domain join didn't work. You use winbind, don't you ?
> > Is there some trick to using transitive trusts (SAMBA_3_0)?
> Nope. Just make sure you have 'allow trusted domains = yes'. 
> It's set this way by default.
> cheers,
> -- 
>  Rafal Szczesniak      mimir[at]
>  Samba Team member     mimir[at]
> +---------------------------------------------------------+
>  *BSD, GNU/Linux and Samba
> +---------------------------------------------------------+

More information about the samba-technical mailing list