Authentication through transitive trusts

Ken Cross kcross at nssolutions.com
Thu Jul 17 21:09:53 GMT 2003


You're right, of course, about the "need" for Resource/Authentication
domains in AD.  That's a holdover from NT domains, but they are still very
common.

A parent-child trust works OK, but a parent-grandchild trust doesn't.
Anywhere that it isn't a direct parent-child connection seems to fail.

Ken
________________________________

Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com 

> -----Original Message-----
> From: Marc Kaplan [mailto:MKaplan at snapappliance.com] 
> Sent: Thursday, July 17, 2003 5:06 PM
> To: 'Ken Cross'; 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: RE: Authentication through transitive trusts
> 
> 
> Ken wrote:
> > This is a Big Deal for using Samba in enterprise systems.
> > Transitive trusts
> > relieve the admin of having to maintain tons of trust 
> > relationships.  But
> > Samba can't use them, which makes it much tougher to 
> > integrate into a large
> > AD forest.  This is especially true where file servers (e.g., 
> > Samba) are
> > typically placed in Resource domains and expected to use 
> > Authentication
> > domains for authenticating users connecting to shares.
> 
> Does anybody use the concept of resource domains vs. 
> authentication domains in an Active Directory environment? I 
> thought AD obviated the need for that since the Active 
> Directory can scale much more than the NT4 SAM could.
> 
> That said, I have been having similar problems to Ken. 
> Especially if I have a tree-root transitive trusts i.e. 
> (a-test.dom b-test.dom and c-test.dom). a-test.dom is the 
> operations master for everything (RID allocation, PDC 
> Emulator, and Infrastructure). If samba joins a-test.dom 
> clients from all domains can authenticate to a-test.dom. If a 
> Samba box joins b-test.dom than it will not be able to lookup 
> sequence for c-test.dom. 
> 
> So the problem I've seen (though it's been a while since I've 
> worked on
> this) is that tree-root transitive trusts have a problem, but 
> parent-child trusts work fine. 
> 
> 				-Marc
> 
> > -----Original Message-----
> > From: Ken Cross [mailto:kcross at nssolutions.com]
> > Sent: Thursday, July 17, 2003 10:33 AM
> > To: 'Multiple recipients of list SAMBA-TECHNICAL'
> > Subject: RE: Authentication through transitive trusts
> > 
> > 
> > Samba-folk:
> > 
> > On further investigation, apparently Samba 3.0 cannot (and
> > will not in the
> > near future) be able to authenticate through transitive trusts.  For
> > example, in a simple AD forest:
> > 
> >   PARENT
> >     |
> >     +-> CHILD1
> >     +-> CHILD2
> > 
> > If Samba joins PARENT, it can authenticate against any
> > server.  But if it
> > joins CHILD1 or CHILD2, it cannot authenticate against the 
> > other child,
> > which is connected via a transitive trust.  You must set up 
> > an explicit
> > trust between CHILD1 and CHILD2. 
> > 
> > The reason is simple: you need Kerberos authentication for 
> it to work. 
> > Samba doesn't use Kerberos for anything except its machine account, 
> > and I'm not aware of anything in the works to use Kerberos for user
> > authentication.
> > 
> > This is a Big Deal for using Samba in enterprise systems.
> > Transitive trusts
> > relieve the admin of having to maintain tons of trust 
> > relationships.  But
> > Samba can't use them, which makes it much tougher to 
> > integrate into a large
> > AD forest.  This is especially true where file servers (e.g., 
> > Samba) are
> > typically placed in Resource domains and expected to use 
> > Authentication
> > domains for authenticating users connecting to shares.
> > 
> > This is as of SAMBA_3_0 Beta 3.
> > 
> > I'm not bitching -- just making people aware.  (If I'm wrong, I'd be
> > *delighted* -- please correct me!)
> > 
> > Thanks,
> > Ken
> > ________________________________
> > 
> > Ken Cross
> > 
> > Network Storage Solutions
> > Phone 865.675.4070 ext 31
> > kcross at nssolutions.com
> > 
> 




More information about the samba-technical mailing list