Authentication through transitive trusts
Steve Langasek
vorlon at netexpress.net
Thu Jul 17 18:10:49 GMT 2003
On Thu, Jul 17, 2003 at 01:33:05PM -0400, Ken Cross wrote:
> Samba-folk:
> On further investigation, apparently Samba 3.0 cannot (and will not in the
> near future) be able to authenticate through transitive trusts. For
> example, in a simple AD forest:
> PARENT
> |
> +-> CHILD1
> +-> CHILD2
> If Samba joins PARENT, it can authenticate against any server. But if it
> joins CHILD1 or CHILD2, it cannot authenticate against the other child,
> which is connected via a transitive trust. You must set up an explicit
> trust between CHILD1 and CHILD2.
> The reason is simple: you need Kerberos authentication for it to work.
> Samba doesn't use Kerberos for anything except its machine account, and I'm
> not aware of anything in the works to use Kerberos for user authentication.
> This is a Big Deal for using Samba in enterprise systems. Transitive trusts
> relieve the admin of having to maintain tons of trust relationships. But
> Samba can't use them, which makes it much tougher to integrate into a large
> AD forest. This is especially true where file servers (e.g., Samba) are
> typically placed in Resource domains and expected to use Authentication
> domains for authenticating users connecting to shares.
> This is as of SAMBA_3_0 Beta 3.
It's very unlikely that this is a Kerberos problem; by the time the
AD-enabled client connects to the server, the realm transiting has
already been taken care of among the AD servers, and the client has been
issued a service ticket which must be valid for this Samba server. If
you're seeing problems with Samba as a server being unable to field
requests from foreign AD clients, I think this is likely to be either an
issue with LDAP-based resolution of foreign SIDs, or a side-effect of
the recent winbind idmap changes between beta2 and beta3.
--
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030717/c262ee71/attachment.bin
More information about the samba-technical
mailing list