Authentication through transitive trusts

Marc Kaplan MKaplan at snapappliance.com
Thu Jul 17 21:15:22 GMT 2003 

Ken,

So if you have:
a.test
	b.a.test
		c.b.a.test

And you join c.b.a.test do you get a sequence number from a.test? I just
want to find out if we're talking about the same thing(My issue is before a
client can even try to authenticate -- we don't get the users/groups). 

It sounds to me like your issue is authentication, which is a step after
mine...

			-Marc

> -----Original Message-----
> From: Ken Cross [mailto:kcross at nssolutions.com]
> Sent: Thursday, July 17, 2003 2:10 PM
> To: Marc Kaplan; 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: RE: Authentication through transitive trusts
> 
> 
> You're right, of course, about the "need" for Resource/Authentication
> domains in AD.  That's a holdover from NT domains, but they 
> are still very
> common.
> 
> A parent-child trust works OK, but a parent-grandchild trust doesn't.
> Anywhere that it isn't a direct parent-child connection seems to fail.
> 
> Ken
> ________________________________
> 
> Ken Cross
> 
> Network Storage Solutions
> Phone 865.675.4070 ext 31
> kcross at nssolutions.com 
> 
> > -----Original Message-----
> > From: Marc Kaplan [mailto:MKaplan at snapappliance.com] 
> > Sent: Thursday, July 17, 2003 5:06 PM
> > To: 'Ken Cross'; 'Multiple recipients of list SAMBA-TECHNICAL'
> > Subject: RE: Authentication through transitive trusts
> > 
> > 
> > Ken wrote:
> > > This is a Big Deal for using Samba in enterprise systems.
> > > Transitive trusts
> > > relieve the admin of having to maintain tons of trust 
> > > relationships.  But
> > > Samba can't use them, which makes it much tougher to 
> > > integrate into a large
> > > AD forest.  This is especially true where file servers (e.g., 
> > > Samba) are
> > > typically placed in Resource domains and expected to use 
> > > Authentication
> > > domains for authenticating users connecting to shares.
> > 
> > Does anybody use the concept of resource domains vs. 
> > authentication domains in an Active Directory environment? I 
> > thought AD obviated the need for that since the Active 
> > Directory can scale much more than the NT4 SAM could.
> > 
> > That said, I have been having similar problems to Ken. 
> > Especially if I have a tree-root transitive trusts i.e. 
> > (a-test.dom b-test.dom and c-test.dom). a-test.dom is the 
> > operations master for everything (RID allocation, PDC 
> > Emulator, and Infrastructure). If samba joins a-test.dom 
> > clients from all domains can authenticate to a-test.dom. If a 
> > Samba box joins b-test.dom than it will not be able to lookup 
> > sequence for c-test.dom. 
> > 
> > So the problem I've seen (though it's been a while since I've 
> > worked on
> > this) is that tree-root transitive trusts have a problem, but 
> > parent-child trusts work fine. 
> > 
> > 				-Marc
> > 
> > > -----Original Message-----
> > > From: Ken Cross [mailto:kcross at nssolutions.com]
> > > Sent: Thursday, July 17, 2003 10:33 AM
> > > To: 'Multiple recipients of list SAMBA-TECHNICAL'
> > > Subject: RE: Authentication through transitive trusts
> > > 
> > > 
> > > Samba-folk:
> > > 
> > > On further investigation, apparently Samba 3.0 cannot (and
> > > will not in the
> > > near future) be able to authenticate through transitive 
> trusts.  For
> > > example, in a simple AD forest:
> > > 
> > >   PARENT
> > >     |
> > >     +-> CHILD1
> > >     +-> CHILD2
> > > 
> > > If Samba joins PARENT, it can authenticate against any
> > > server.  But if it
> > > joins CHILD1 or CHILD2, it cannot authenticate against the 
> > > other child,
> > > which is connected via a transitive trust.  You must set up 
> > > an explicit
> > > trust between CHILD1 and CHILD2. 
> > > 
> > > The reason is simple: you need Kerberos authentication for 
> > it to work. 
> > > Samba doesn't use Kerberos for anything except its 
> machine account, 
> > > and I'm not aware of anything in the works to use 
> Kerberos for user
> > > authentication.
> > > 
> > > This is a Big Deal for using Samba in enterprise systems.
> > > Transitive trusts
> > > relieve the admin of having to maintain tons of trust 
> > > relationships.  But
> > > Samba can't use them, which makes it much tougher to 
> > > integrate into a large
> > > AD forest.  This is especially true where file servers (e.g., 
> > > Samba) are
> > > typically placed in Resource domains and expected to use 
> > > Authentication
> > > domains for authenticating users connecting to shares.
> > > 
> > > This is as of SAMBA_3_0 Beta 3.
> > > 
> > > I'm not bitching -- just making people aware.  (If I'm 
> wrong, I'd be
> > > *delighted* -- please correct me!)
> > > 
> > > Thanks,
> > > Ken
> > > ________________________________
> > > 
> > > Ken Cross
> > > 
> > > Network Storage Solutions
> > > Phone 865.675.4070 ext 31
> > > kcross at nssolutions.com
> > > 
> > 
>

More information about the samba-technical mailing list