Authentication through Transitive Trusts
Ken Cross
kcross at nssolutions.com
Wed Apr 9 21:13:05 GMT 2003
Part of this problem could be due to the fact that Samba uses NTLM
instead of Kerberos for user authentication.
If the transitive trusts work via Kerberos referrals, I think we could
be screwed.
Ken
________________________________
Ken Cross
Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com
> -----Original Message-----
> From:
> samba-technical-bounces+kcross=nssolutions.com at lists.samba.org
>
> [mailto:samba-technical-bounces+kcross=nssolutions.com at lists.s
> amba.org] On Behalf Of Ken Cross
> Sent: Wednesday, April 02, 2003 3:37 PM
> To: 'Rafal Szczesniak'
> Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: RE: Authentication through Transitive Trusts
>
>
> All operations are working correctly, including user/group
> mapping, user/group listings, authentication, etc.
>
> And everything works fine for domains listed in wbinfo -m.
> The only problem comes when trying to authenticate against a
> sibling in the forest (KAMA vs. CAMP in my example). These
> are transitive trusts are don't get listed in wbinfo -m.
>
> I was mainly looking to see if anybody else has done this
> successfully in similar configurations.
>
> Ken
> ________________________________
>
> Ken Cross
>
> Network Storage Solutions
> Phone 865.675.4070 ext 31
> kcross at nssolutions.com
>
> > -----Original Message-----
> > From:
> > samba-technical-bounces+kcross=nssolutions.com at lists.samba.org
> >
> > [mailto:samba-technical-bounces+kcross=nssolutions.com at lists.s
> > amba.org] On Behalf Of Rafal Szczesniak
> > Sent: Wednesday, April 02, 2003 3:27 PM
> > To: Ken Cross
> > Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> > Subject: Re: Authentication through Transitive Trusts
> >
> >
> > On Tue, Apr 01, 2003 at 10:45:07AM -0500, Ken Cross wrote:
> > > Samba-folk:
> > >
> > > I have an Active Directory with SUPTRA at the top and 2 other AD
> > > servers, KAMA and CAMP.
> > >
> > > If Samba joins KAMA, it can authenticate against KAMA
> > and/or SUPTRA,
> > > but not CAMP. wbinfo -u shows users from all 3 servers,
> > but wbinfo -m
> > > only shows SUPTRA.
> > >
> > > KAMA and CAMP have an implicit transitive trust, but I
> > can't seem to
> > > get Samba to use it. The authentication request is sent to
> > KAMA, but
> > > it gets NT_STATUS_NO_SUCH_USER. (Same results if it
> joins CAMP and
> > > tries to authenticate against KAMA.)
> >
> > Sounds like winbind doesn't map to unix uid, correctly or
> > your ads domain join didn't work. You use winbind, don't you ?
> >
> > > Is there some trick to using transitive trusts (SAMBA_3_0)?
> >
> > Nope. Just make sure you have 'allow trusted domains = yes'.
> > It's set this way by default.
> >
> >
> > cheers,
> > --
> > Rafal Szczesniak mimir[at]diament.ists.pwr.wroc.pl
> > Samba Team member mimir[at]samba.org
> > +---------------------------------------------------------+
> > *BSD, GNU/Linux and Samba http://www.samba.org
> > +---------------------------------------------------------+
> >
>
More information about the samba-technical
mailing list