Authentication through transitive trusts
Ken Cross
kcross at nssolutions.com
Thu Jul 17 21:41:44 GMT 2003
Are a.com and c.b.a.com both AD (as opposed to NT)?
Is there any kind of explicit trust between them?
Ken
________________________________
Ken Cross
Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com
> -----Original Message-----
> From: Chere Zhou [mailto:qzhou at isilon.com]
> Sent: Thursday, July 17, 2003 5:52 PM
> To: Ken Cross; 'Marc Kaplan'; 'Multiple recipients of list
> SAMBA-TECHNICAL'
> Subject: Re: Authentication through transitive trusts
>
>
> I just checked with my 3.0alpha21 installation. I have samba
> joined a.com,
> and there are b.a.com and c.b.a.com. There is a sequence number for
> c.b.a.com, and wbinfo -u lists c.b.a.com users too. I can
> also connect to
> samba box as a user in c.b.a.com. Something in the current
> code that broke
> it? I do not have across root trusts right now to test with though.
>
>
> On Thursday 17 July 2003 02:18 pm, Ken Cross wrote:
> > I think they're the same issue.
> >
> > No, you don't see the sequence numbers for any except the parent or
> > child. No, you can't authenticate to anything except the parent or
> > child.
> >
> > Ken
> > ________________________________
> >
> > Ken Cross
> >
> > Network Storage Solutions
> > Phone 865.675.4070 ext 31
> > kcross at nssolutions.com
> >
> > > -----Original Message-----
> > > From: Marc Kaplan [mailto:MKaplan at snapappliance.com]
> > > Sent: Thursday, July 17, 2003 5:15 PM
> > > To: 'Ken Cross'; 'Multiple recipients of list SAMBA-TECHNICAL'
> > > Subject: RE: Authentication through transitive trusts
> > >
> > >
> > > Ken,
> > >
> > > So if you have:
> > > a.test
> > > b.a.test
> > > c.b.a.test
> > >
> > > And you join c.b.a.test do you get a sequence number from
> a.test? I
> > > just want to find out if we're talking about the same
> thing(My issue
> > > is before a client can even try to authenticate -- we
> don't get the
> > > users/groups).
> > >
> > > It sounds to me like your issue is authentication, which
> is a step
> > > after mine...
> > >
> > > -Marc
> > >
> > > > -----Original Message-----
> > > > From: Ken Cross [mailto:kcross at nssolutions.com]
> > > > Sent: Thursday, July 17, 2003 2:10 PM
> > > > To: Marc Kaplan; 'Multiple recipients of list SAMBA-TECHNICAL'
> > > > Subject: RE: Authentication through transitive trusts
> > > >
> > > >
> > > > You're right, of course, about the "need" for
> > >
> > > Resource/Authentication
> > >
> > > > domains in AD. That's a holdover from NT domains, but they
> > >
> > > are still
> > >
> > > > very common.
> > > >
> > > > A parent-child trust works OK, but a parent-grandchild
> > >
> > > trust doesn't.
> > >
> > > > Anywhere that it isn't a direct parent-child connection
> > >
> > > seems to fail.
> > >
> > > > Ken
> > > > ________________________________
> > > >
> > > > Ken Cross
> > > >
> > > > Network Storage Solutions
> > > > Phone 865.675.4070 ext 31
> > > > kcross at nssolutions.com
> > > >
> > > > > -----Original Message-----
> > > > > From: Marc Kaplan [mailto:MKaplan at snapappliance.com]
> > > > > Sent: Thursday, July 17, 2003 5:06 PM
> > > > > To: 'Ken Cross'; 'Multiple recipients of list SAMBA-TECHNICAL'
> > > > > Subject: RE: Authentication through transitive trusts
> > > > >
> > > > > Ken wrote:
> > > > > > This is a Big Deal for using Samba in enterprise systems.
> > > > > > Transitive trusts relieve the admin of having to
> > >
> > > maintain tons of
> > >
> > > > > > trust relationships. But
> > > > > > Samba can't use them, which makes it much tougher
> to integrate
> > > > > > into a large AD forest. This is especially true where file
> > > > > > servers (e.g.,
> > > > > > Samba) are
> > > > > > typically placed in Resource domains and expected to use
> > > > > > Authentication domains for authenticating users
> connecting to
> > > > > > shares.
> > > > >
> > > > > Does anybody use the concept of resource domains vs.
> > > > > authentication domains in an Active Directory environment? I
> > > > > thought AD obviated the need for that since the
> Active Directory
> > > > > can scale much more than the NT4 SAM could.
> > > > >
> > > > > That said, I have been having similar problems to Ken.
> > > > > Especially if I have a tree-root transitive trusts i.e.
> > > > > (a-test.dom b-test.dom and c-test.dom). a-test.dom is the
> > > > > operations master for everything (RID allocation, PDC
> Emulator,
> > > > > and Infrastructure). If samba joins a-test.dom
> clients from all
> > > > > domains can authenticate to a-test.dom. If a Samba box joins
> > > > > b-test.dom than it will not be able to lookup sequence for
> > > > > c-test.dom.
> > > > >
> > > > > So the problem I've seen (though it's been a while since I've
> > > > > worked on
> > > > > this) is that tree-root transitive trusts have a problem, but
> > > > > parent-child trusts work fine.
> > > > >
> > > > > -Marc
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Ken Cross [mailto:kcross at nssolutions.com]
> > > > > > Sent: Thursday, July 17, 2003 10:33 AM
> > > > > > To: 'Multiple recipients of list SAMBA-TECHNICAL'
> > > > > > Subject: RE: Authentication through transitive trusts
> > > > > >
> > > > > >
> > > > > > Samba-folk:
> > > > > >
> > > > > > On further investigation, apparently Samba 3.0 cannot (and
> > > > > > will not in the near future) be able to authenticate through
> > >
> > > transitive
> > >
> > > > trusts. For
> > > >
> > > > > > example, in a simple AD forest:
> > > > > >
> > > > > > PARENT
> > > > > >
> > > > > > +-> CHILD1
> > > > > > +-> CHILD2
> > > > > >
> > > > > > If Samba joins PARENT, it can authenticate against
> any server.
> > > > > > But if it joins CHILD1 or CHILD2, it cannot
> > >
> > > authenticate against
> > >
> > > > > > the other child,
> > > > > > which is connected via a transitive trust. You
> must set up an
> > > > > > explicit trust between CHILD1 and CHILD2.
> > > > > >
> > > > > > The reason is simple: you need Kerberos authentication for
> > > > >
> > > > > it to work.
> > > > >
> > > > > > Samba doesn't use Kerberos for anything except its
> > > >
> > > > machine account,
> > > >
> > > > > > and I'm not aware of anything in the works to use
> > > >
> > > > Kerberos for user
> > > >
> > > > > > authentication.
> > > > > >
> > > > > > This is a Big Deal for using Samba in enterprise systems.
> > > > > > Transitive trusts relieve the admin of having to
> > >
> > > maintain tons of
> > >
> > > > > > trust relationships. But
> > > > > > Samba can't use them, which makes it much tougher
> to integrate
> > > > > > into a large AD forest. This is especially true where file
> > > > > > servers (e.g.,
> > > > > > Samba) are
> > > > > > typically placed in Resource domains and expected to use
> > > > > > Authentication domains for authenticating users
> connecting to
> > > > > > shares.
> > > > > >
> > > > > > This is as of SAMBA_3_0 Beta 3.
> > > > > >
> > > > > > I'm not bitching -- just making people aware. (If I'm
> > > >
> > > > wrong, I'd be
> > > >
> > > > > > *delighted* -- please correct me!)
> > > > > >
> > > > > > Thanks,
> > > > > > Ken
> > > > > > ________________________________
> > > > > >
> > > > > > Ken Cross
> > > > > >
> > > > > > Network Storage Solutions
> > > > > > Phone 865.675.4070 ext 31
> > > > > > kcross at nssolutions.com
>
More information about the samba-technical
mailing list