FIxed [was Re: Authentication through transitive trusts]
Gerald (Jerry) Carter
jerry at samba.org
Sat Aug 2 15:43:38 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 31 Jul 2003, Ken Cross wrote:
> Jerry et al:
> THANK YOU for your efforts! Here's what I've discovered so far with this
> +-- CAMP (mixed-mode)
> +-- KAMA (mixed-mode)
> +-- JAYA (native-mode)
> Mixed-mode DCs
> I know you said it must be native mode, but the DCs I was using were mixed
> mode so I did some testing there first (once you change to native mode, you
> can't go back). I had 2 mixed-mode DCs that are both Win2000 SP3.
The issue is more with mixed mode trusted DCs. The problem is that we
have to use RPC for mixed mode trusted DCs because we don't know if
a DC we pick will be NT4 or 2k. The RPC for enumerated all domains in the
forest is only available on 2k/2k3 DC's. But since we ask our DC for the
trusted domains and the admin specifies security = ads|domain, this really
doesn;t matter i guess.
> The mixed-mode DCs basically acted like previous builds except that
> enumerating users/groups showed them from all transitive trusts if "Allow
> trusted domains" is enabled. That's nice. Authentication works as before,
> i.e., authenticates against the DC and its parent.
so connecting as a user from PARENT to a Samba box in JAVA doesn't work?
> wbinfo -m shows the same (self and parent), but wbinfo --sequence shows
> sequence numbers from transitive trusts, too (if "Allow trusted domains" is
Can you send me a level 10 debug log for wqinbindd from startup to the end
of wbinfo -m ? Thanks.
> Native-mode DCs
> If "Allow trusted domains" is enabled, all users/groups on all transitive
> trusts are displayed. Authentication works on all transitive trusts. Yea!
> If "Allow trusted domains" is disabled, only users/groups in the domain
> joined show up. Also, authentication only works on the joined domain.
So everything is ok here.
> Wish List
> Is that how it *should* work? Is there any way to enumerate users/groups
> from the joined domain but authenticate against any domain?
we have to be able to enumerate users kfrom trusted odomains as part of
7the SID<->uid/gid process. But if you don't want them enumerates,
see "winbind enumerate users" in smb.conf(5).
> We have a customer with 650+ domains. Clearly, enumerating all those
> suckers will be painful. But if we join a "resource" domain, we'd want to
> be able to authenticate against an "authentication" domain (that has all the
> user accounts).
You really need to set 'winbind enumerate users = no" in this case.
Same thing for groups.
It would be an easy change to make winbindd only enuemrate users from our
local domain as in 'getent passwd' or even for wbinfo -u. See
> Also, do you think working with mixed-mode DCs is feasible?
I'm perplexed about this. It should work. I'm going to open
a report in bugzzilla about this so we can track it.
Hewlett-Packard ------------------------- http://www.hp.com
SAMBA Team ---------------------- http://www.samba.org
GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc
"You can never go home again, Oatman, but I guess you can shop there."
--John Cusack - "Grosse Point Blank" (1997)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
-----END PGP SIGNATURE-----
More information about the samba-technical