Authentication through transitive trusts

Ken Cross kcross at
Thu Jul 17 17:33:05 GMT 2003


On further investigation, apparently Samba 3.0 cannot (and will not in the
near future) be able to authenticate through transitive trusts.  For
example, in a simple AD forest:

    +-> CHILD1
    +-> CHILD2

If Samba joins PARENT, it can authenticate against any server.  But if it
joins CHILD1 or CHILD2, it cannot authenticate against the other child,
which is connected via a transitive trust.  You must set up an explicit
trust between CHILD1 and CHILD2. 

The reason is simple: you need Kerberos authentication for it to work.
Samba doesn't use Kerberos for anything except its machine account, and I'm
not aware of anything in the works to use Kerberos for user authentication.

This is a Big Deal for using Samba in enterprise systems.  Transitive trusts
relieve the admin of having to maintain tons of trust relationships.  But
Samba can't use them, which makes it much tougher to integrate into a large
AD forest.  This is especially true where file servers (e.g., Samba) are
typically placed in Resource domains and expected to use Authentication
domains for authenticating users connecting to shares.

This is as of SAMBA_3_0 Beta 3.

I'm not bitching -- just making people aware.  (If I'm wrong, I'd be
*delighted* -- please correct me!)


Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at 

More information about the samba-technical mailing list