Authentication through transitive trusts

Marc Kaplan MKaplan at snapappliance.com
Thu Jul 17 21:05:31 GMT 2003 

Ken wrote:
> This is a Big Deal for using Samba in enterprise systems.  
> Transitive trusts
> relieve the admin of having to maintain tons of trust 
> relationships.  But
> Samba can't use them, which makes it much tougher to 
> integrate into a large
> AD forest.  This is especially true where file servers (e.g., 
> Samba) are
> typically placed in Resource domains and expected to use 
> Authentication
> domains for authenticating users connecting to shares.

Does anybody use the concept of resource domains vs. authentication domains
in an Active Directory environment? I thought AD obviated the need for that
since the Active Directory can scale much more than the NT4 SAM could.

That said, I have been having similar problems to Ken. Especially if I have
a tree-root transitive trusts i.e. (a-test.dom b-test.dom and c-test.dom).
a-test.dom is the operations master for everything (RID allocation, PDC
Emulator, and Infrastructure). If samba joins a-test.dom clients from all
domains can authenticate to a-test.dom. If a Samba box joins b-test.dom than
it will not be able to lookup sequence for c-test.dom. 

So the problem I've seen (though it's been a while since I've worked on
this) is that tree-root transitive trusts have a problem, but parent-child
trusts work fine. 

				-Marc

> -----Original Message-----
> From: Ken Cross [mailto:kcross at nssolutions.com]
> Sent: Thursday, July 17, 2003 10:33 AM
> To: 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: RE: Authentication through transitive trusts
> 
> 
> Samba-folk:
> 
> On further investigation, apparently Samba 3.0 cannot (and 
> will not in the
> near future) be able to authenticate through transitive trusts.  For
> example, in a simple AD forest:
> 
>   PARENT
>     |
>     +-> CHILD1
>     +-> CHILD2
> 
> If Samba joins PARENT, it can authenticate against any 
> server.  But if it
> joins CHILD1 or CHILD2, it cannot authenticate against the 
> other child,
> which is connected via a transitive trust.  You must set up 
> an explicit
> trust between CHILD1 and CHILD2. 
> 
> The reason is simple: you need Kerberos authentication for it to work.
> Samba doesn't use Kerberos for anything except its machine 
> account, and I'm
> not aware of anything in the works to use Kerberos for user 
> authentication.
> 
> This is a Big Deal for using Samba in enterprise systems.  
> Transitive trusts
> relieve the admin of having to maintain tons of trust 
> relationships.  But
> Samba can't use them, which makes it much tougher to 
> integrate into a large
> AD forest.  This is especially true where file servers (e.g., 
> Samba) are
> typically placed in Resource domains and expected to use 
> Authentication
> domains for authenticating users connecting to shares.
> 
> This is as of SAMBA_3_0 Beta 3.
> 
> I'm not bitching -- just making people aware.  (If I'm wrong, I'd be
> *delighted* -- please correct me!)
> 
> Thanks,
> Ken
> ________________________________
> 
> Ken Cross
> 
> Network Storage Solutions
> Phone 865.675.4070 ext 31
> kcross at nssolutions.com 
>

More information about the samba-technical mailing list