Authentication through transitive trusts

Ken Cross kcross at nssolutions.com
Thu Jul 17 21:18:10 GMT 2003


I think they're the same issue.  

No, you don't see the sequence numbers for any except the parent or child.
No, you can't authenticate to anything except the parent or child.

Ken
________________________________

Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com 

> -----Original Message-----
> From: Marc Kaplan [mailto:MKaplan at snapappliance.com] 
> Sent: Thursday, July 17, 2003 5:15 PM
> To: 'Ken Cross'; 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: RE: Authentication through transitive trusts
> 
> 
> Ken,
> 
> So if you have:
> a.test
> 	b.a.test
> 		c.b.a.test
> 
> And you join c.b.a.test do you get a sequence number from 
> a.test? I just want to find out if we're talking about the 
> same thing(My issue is before a client can even try to 
> authenticate -- we don't get the users/groups). 
> 
> It sounds to me like your issue is authentication, which is a 
> step after mine...
> 
> 			-Marc
> 
> > -----Original Message-----
> > From: Ken Cross [mailto:kcross at nssolutions.com]
> > Sent: Thursday, July 17, 2003 2:10 PM
> > To: Marc Kaplan; 'Multiple recipients of list SAMBA-TECHNICAL'
> > Subject: RE: Authentication through transitive trusts
> > 
> > 
> > You're right, of course, about the "need" for 
> Resource/Authentication 
> > domains in AD.  That's a holdover from NT domains, but they 
> are still 
> > very common.
> > 
> > A parent-child trust works OK, but a parent-grandchild 
> trust doesn't. 
> > Anywhere that it isn't a direct parent-child connection 
> seems to fail.
> > 
> > Ken
> > ________________________________
> > 
> > Ken Cross
> > 
> > Network Storage Solutions
> > Phone 865.675.4070 ext 31
> > kcross at nssolutions.com
> > 
> > > -----Original Message-----
> > > From: Marc Kaplan [mailto:MKaplan at snapappliance.com]
> > > Sent: Thursday, July 17, 2003 5:06 PM
> > > To: 'Ken Cross'; 'Multiple recipients of list SAMBA-TECHNICAL'
> > > Subject: RE: Authentication through transitive trusts
> > > 
> > > 
> > > Ken wrote:
> > > > This is a Big Deal for using Samba in enterprise systems. 
> > > > Transitive trusts relieve the admin of having to 
> maintain tons of 
> > > > trust relationships.  But
> > > > Samba can't use them, which makes it much tougher to 
> > > > integrate into a large
> > > > AD forest.  This is especially true where file servers (e.g., 
> > > > Samba) are
> > > > typically placed in Resource domains and expected to use 
> > > > Authentication
> > > > domains for authenticating users connecting to shares.
> > > 
> > > Does anybody use the concept of resource domains vs.
> > > authentication domains in an Active Directory environment? I 
> > > thought AD obviated the need for that since the Active 
> > > Directory can scale much more than the NT4 SAM could.
> > > 
> > > That said, I have been having similar problems to Ken.
> > > Especially if I have a tree-root transitive trusts i.e. 
> > > (a-test.dom b-test.dom and c-test.dom). a-test.dom is the 
> > > operations master for everything (RID allocation, PDC 
> > > Emulator, and Infrastructure). If samba joins a-test.dom 
> > > clients from all domains can authenticate to a-test.dom. If a 
> > > Samba box joins b-test.dom than it will not be able to lookup 
> > > sequence for c-test.dom. 
> > > 
> > > So the problem I've seen (though it's been a while since I've
> > > worked on
> > > this) is that tree-root transitive trusts have a problem, but 
> > > parent-child trusts work fine. 
> > > 
> > > 				-Marc
> > > 
> > > > -----Original Message-----
> > > > From: Ken Cross [mailto:kcross at nssolutions.com]
> > > > Sent: Thursday, July 17, 2003 10:33 AM
> > > > To: 'Multiple recipients of list SAMBA-TECHNICAL'
> > > > Subject: RE: Authentication through transitive trusts
> > > > 
> > > > 
> > > > Samba-folk:
> > > > 
> > > > On further investigation, apparently Samba 3.0 cannot (and will 
> > > > not in the near future) be able to authenticate through 
> transitive
> > trusts.  For
> > > > example, in a simple AD forest:
> > > > 
> > > >   PARENT
> > > >     |
> > > >     +-> CHILD1
> > > >     +-> CHILD2
> > > > 
> > > > If Samba joins PARENT, it can authenticate against any server.  
> > > > But if it joins CHILD1 or CHILD2, it cannot 
> authenticate against 
> > > > the other child,
> > > > which is connected via a transitive trust.  You must set up 
> > > > an explicit
> > > > trust between CHILD1 and CHILD2. 
> > > > 
> > > > The reason is simple: you need Kerberos authentication for
> > > it to work.
> > > > Samba doesn't use Kerberos for anything except its
> > machine account,
> > > > and I'm not aware of anything in the works to use
> > Kerberos for user
> > > > authentication.
> > > > 
> > > > This is a Big Deal for using Samba in enterprise systems. 
> > > > Transitive trusts relieve the admin of having to 
> maintain tons of 
> > > > trust relationships.  But
> > > > Samba can't use them, which makes it much tougher to 
> > > > integrate into a large
> > > > AD forest.  This is especially true where file servers (e.g., 
> > > > Samba) are
> > > > typically placed in Resource domains and expected to use 
> > > > Authentication
> > > > domains for authenticating users connecting to shares.
> > > > 
> > > > This is as of SAMBA_3_0 Beta 3.
> > > > 
> > > > I'm not bitching -- just making people aware.  (If I'm
> > wrong, I'd be
> > > > *delighted* -- please correct me!)
> > > > 
> > > > Thanks,
> > > > Ken
> > > > ________________________________
> > > > 
> > > > Ken Cross
> > > > 
> > > > Network Storage Solutions
> > > > Phone 865.675.4070 ext 31
> > > > kcross at nssolutions.com
> > > > 
> > > 
> > 
> 




More information about the samba-technical mailing list