Authentication through transitive trusts

Steve Langasek vorlon at
Thu Jul 17 18:10:49 GMT 2003

On Thu, Jul 17, 2003 at 01:33:05PM -0400, Ken Cross wrote:
> Samba-folk:

> On further investigation, apparently Samba 3.0 cannot (and will not in the
> near future) be able to authenticate through transitive trusts.  For
> example, in a simple AD forest:

>     |
>     +-> CHILD1
>     +-> CHILD2

> If Samba joins PARENT, it can authenticate against any server.  But if it
> joins CHILD1 or CHILD2, it cannot authenticate against the other child,
> which is connected via a transitive trust.  You must set up an explicit
> trust between CHILD1 and CHILD2. 

> The reason is simple: you need Kerberos authentication for it to work.
> Samba doesn't use Kerberos for anything except its machine account, and I'm
> not aware of anything in the works to use Kerberos for user authentication.

> This is a Big Deal for using Samba in enterprise systems.  Transitive trusts
> relieve the admin of having to maintain tons of trust relationships.  But
> Samba can't use them, which makes it much tougher to integrate into a large
> AD forest.  This is especially true where file servers (e.g., Samba) are
> typically placed in Resource domains and expected to use Authentication
> domains for authenticating users connecting to shares.

> This is as of SAMBA_3_0 Beta 3.

It's very unlikely that this is a Kerberos problem; by the time the
AD-enabled client connects to the server, the realm transiting has
already been taken care of among the AD servers, and the client has been
issued a service ticket which must be valid for this Samba server.  If
you're seeing problems with Samba as a server being unable to field
requests from foreign AD clients, I think this is likely to be either an
issue with LDAP-based resolution of foreign SIDs, or a side-effect of
the recent winbind idmap changes between beta2 and beta3.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list