Authentication through transitive trusts

Ken Cross kcross at
Thu Jul 17 18:29:04 GMT 2003


I think we're talking apples and oranges.

The "AD-enabled client" doesn't connect to the AD server, it connects to
Samba.  And unless I'm badly mistaken (which I'd *love* to be), the client
does not use Kerberos to connect to Samba, it uses NTLM.  (NTLMSSP? SPNEGO?)

Hence, Samba passes the NTLM info to the AD server for authentication.  That
doesn't make it through transitive trusts, only explicit trusts.  :-(

Or more simply: have you ever seen a user connect to a Samba share by
authenticating through a transitive trust?  

In the example below, if Samba joins CHILD1, I cannot find any way for a
user to connect to a Samba share using an account on CHILD2 (e.g.,
CHILD2\Username) unless an explicit trust is set up between CHILD1 and

Clear as mud?


Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at 

> -----Original Message-----
> From: Steve Langasek [mailto:vorlon at] 
> Sent: Thursday, July 17, 2003 2:11 PM
> To: Ken Cross
> Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: Re: Authentication through transitive trusts
> On Thu, Jul 17, 2003 at 01:33:05PM -0400, Ken Cross wrote:
> > Samba-folk:
> > On further investigation, apparently Samba 3.0 cannot (and 
> will not in 
> > the near future) be able to authenticate through transitive 
> trusts.  
> > For example, in a simple AD forest:
> >   PARENT
> >     |
> >     +-> CHILD1
> >     +-> CHILD2
> > If Samba joins PARENT, it can authenticate against any 
> server.  But if 
> > it joins CHILD1 or CHILD2, it cannot authenticate against the other 
> > child, which is connected via a transitive trust.  You must 
> set up an 
> > explicit trust between CHILD1 and CHILD2.
> > The reason is simple: you need Kerberos authentication for 
> it to work. 
> > Samba doesn't use Kerberos for anything except its machine account, 
> > and
> I'm
> > not aware of anything in the works to use Kerberos for user
> authentication.
> > This is a Big Deal for using Samba in enterprise systems.  
> Transitive
> trusts
> > relieve the admin of having to maintain tons of trust 
> relationships.  
> > But Samba can't use them, which makes it much tougher to integrate 
> > into a
> large
> > AD forest.  This is especially true where file servers 
> (e.g., Samba) 
> > are typically placed in Resource domains and expected to use 
> > Authentication domains for authenticating users connecting 
> to shares.
> > This is as of SAMBA_3_0 Beta 3.
> It's very unlikely that this is a Kerberos problem; by the 
> time the AD-enabled client connects to the server, the realm 
> transiting has already been taken care of among the AD 
> servers, and the client has been issued a service ticket 
> which must be valid for this Samba server.  If you're seeing 
> problems with Samba as a server being unable to field 
> requests from foreign AD clients, I think this is likely to 
> be either an issue with LDAP-based resolution of foreign 
> SIDs, or a side-effect of the recent winbind idmap changes 
> between beta2 and beta3.
> -- 
> Steve Langasek
> postmodern programmer

More information about the samba-technical mailing list