Authentication through transitive trusts
Ken Cross
kcross at nssolutions.com
Thu Jul 17 21:09:53 GMT 2003
You're right, of course, about the "need" for Resource/Authentication
domains in AD. That's a holdover from NT domains, but they are still very
common.
A parent-child trust works OK, but a parent-grandchild trust doesn't.
Anywhere that it isn't a direct parent-child connection seems to fail.
Ken
________________________________
Ken Cross
Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com
> -----Original Message-----
> From: Marc Kaplan [mailto:MKaplan at snapappliance.com]
> Sent: Thursday, July 17, 2003 5:06 PM
> To: 'Ken Cross'; 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: RE: Authentication through transitive trusts
>
>
> Ken wrote:
> > This is a Big Deal for using Samba in enterprise systems.
> > Transitive trusts
> > relieve the admin of having to maintain tons of trust
> > relationships. But
> > Samba can't use them, which makes it much tougher to
> > integrate into a large
> > AD forest. This is especially true where file servers (e.g.,
> > Samba) are
> > typically placed in Resource domains and expected to use
> > Authentication
> > domains for authenticating users connecting to shares.
>
> Does anybody use the concept of resource domains vs.
> authentication domains in an Active Directory environment? I
> thought AD obviated the need for that since the Active
> Directory can scale much more than the NT4 SAM could.
>
> That said, I have been having similar problems to Ken.
> Especially if I have a tree-root transitive trusts i.e.
> (a-test.dom b-test.dom and c-test.dom). a-test.dom is the
> operations master for everything (RID allocation, PDC
> Emulator, and Infrastructure). If samba joins a-test.dom
> clients from all domains can authenticate to a-test.dom. If a
> Samba box joins b-test.dom than it will not be able to lookup
> sequence for c-test.dom.
>
> So the problem I've seen (though it's been a while since I've
> worked on
> this) is that tree-root transitive trusts have a problem, but
> parent-child trusts work fine.
>
> -Marc
>
> > -----Original Message-----
> > From: Ken Cross [mailto:kcross at nssolutions.com]
> > Sent: Thursday, July 17, 2003 10:33 AM
> > To: 'Multiple recipients of list SAMBA-TECHNICAL'
> > Subject: RE: Authentication through transitive trusts
> >
> >
> > Samba-folk:
> >
> > On further investigation, apparently Samba 3.0 cannot (and
> > will not in the
> > near future) be able to authenticate through transitive trusts. For
> > example, in a simple AD forest:
> >
> > PARENT
> > |
> > +-> CHILD1
> > +-> CHILD2
> >
> > If Samba joins PARENT, it can authenticate against any
> > server. But if it
> > joins CHILD1 or CHILD2, it cannot authenticate against the
> > other child,
> > which is connected via a transitive trust. You must set up
> > an explicit
> > trust between CHILD1 and CHILD2.
> >
> > The reason is simple: you need Kerberos authentication for
> it to work.
> > Samba doesn't use Kerberos for anything except its machine account,
> > and I'm not aware of anything in the works to use Kerberos for user
> > authentication.
> >
> > This is a Big Deal for using Samba in enterprise systems.
> > Transitive trusts
> > relieve the admin of having to maintain tons of trust
> > relationships. But
> > Samba can't use them, which makes it much tougher to
> > integrate into a large
> > AD forest. This is especially true where file servers (e.g.,
> > Samba) are
> > typically placed in Resource domains and expected to use
> > Authentication
> > domains for authenticating users connecting to shares.
> >
> > This is as of SAMBA_3_0 Beta 3.
> >
> > I'm not bitching -- just making people aware. (If I'm wrong, I'd be
> > *delighted* -- please correct me!)
> >
> > Thanks,
> > Ken
> > ________________________________
> >
> > Ken Cross
> >
> > Network Storage Solutions
> > Phone 865.675.4070 ext 31
> > kcross at nssolutions.com
> >
>
More information about the samba-technical
mailing list