Authentication through transitive trusts

Ken Cross kcross at nssolutions.com
Thu Jul 17 21:41:44 GMT 2003


Are a.com and c.b.a.com both AD (as opposed to NT)?  

Is there any kind of explicit trust between them?

Ken
________________________________

Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com 

> -----Original Message-----
> From: Chere Zhou [mailto:qzhou at isilon.com] 
> Sent: Thursday, July 17, 2003 5:52 PM
> To: Ken Cross; 'Marc Kaplan'; 'Multiple recipients of list 
> SAMBA-TECHNICAL'
> Subject: Re: Authentication through transitive trusts
> 
> 
> I just checked with my 3.0alpha21 installation.  I have samba 
> joined a.com, 
> and there are b.a.com and c.b.a.com.  There is a sequence number for 
> c.b.a.com, and wbinfo -u lists c.b.a.com users too.   I can 
> also connect to 
> samba box as a user in c.b.a.com.   Something in the current 
> code that broke 
> it?    I do not have across root trusts right now to test with though.
> 
> 
> On Thursday 17 July 2003 02:18 pm, Ken Cross wrote:
> > I think they're the same issue.
> >
> > No, you don't see the sequence numbers for any except the parent or 
> > child. No, you can't authenticate to anything except the parent or 
> > child.
> >
> > Ken
> > ________________________________
> >
> > Ken Cross
> >
> > Network Storage Solutions
> > Phone 865.675.4070 ext 31
> > kcross at nssolutions.com
> >
> > > -----Original Message-----
> > > From: Marc Kaplan [mailto:MKaplan at snapappliance.com]
> > > Sent: Thursday, July 17, 2003 5:15 PM
> > > To: 'Ken Cross'; 'Multiple recipients of list SAMBA-TECHNICAL'
> > > Subject: RE: Authentication through transitive trusts
> > >
> > >
> > > Ken,
> > >
> > > So if you have:
> > > a.test
> > > 	b.a.test
> > > 		c.b.a.test
> > >
> > > And you join c.b.a.test do you get a sequence number from 
> a.test? I 
> > > just want to find out if we're talking about the same 
> thing(My issue 
> > > is before a client can even try to authenticate -- we 
> don't get the 
> > > users/groups).
> > >
> > > It sounds to me like your issue is authentication, which 
> is a step 
> > > after mine...
> > >
> > > 			-Marc
> > >
> > > > -----Original Message-----
> > > > From: Ken Cross [mailto:kcross at nssolutions.com]
> > > > Sent: Thursday, July 17, 2003 2:10 PM
> > > > To: Marc Kaplan; 'Multiple recipients of list SAMBA-TECHNICAL'
> > > > Subject: RE: Authentication through transitive trusts
> > > >
> > > >
> > > > You're right, of course, about the "need" for
> > >
> > > Resource/Authentication
> > >
> > > > domains in AD.  That's a holdover from NT domains, but they
> > >
> > > are still
> > >
> > > > very common.
> > > >
> > > > A parent-child trust works OK, but a parent-grandchild
> > >
> > > trust doesn't.
> > >
> > > > Anywhere that it isn't a direct parent-child connection
> > >
> > > seems to fail.
> > >
> > > > Ken
> > > > ________________________________
> > > >
> > > > Ken Cross
> > > >
> > > > Network Storage Solutions
> > > > Phone 865.675.4070 ext 31
> > > > kcross at nssolutions.com
> > > >
> > > > > -----Original Message-----
> > > > > From: Marc Kaplan [mailto:MKaplan at snapappliance.com]
> > > > > Sent: Thursday, July 17, 2003 5:06 PM
> > > > > To: 'Ken Cross'; 'Multiple recipients of list SAMBA-TECHNICAL'
> > > > > Subject: RE: Authentication through transitive trusts
> > > > >
> > > > > Ken wrote:
> > > > > > This is a Big Deal for using Samba in enterprise systems. 
> > > > > > Transitive trusts relieve the admin of having to
> > >
> > > maintain tons of
> > >
> > > > > > trust relationships.  But
> > > > > > Samba can't use them, which makes it much tougher 
> to integrate 
> > > > > > into a large AD forest.  This is especially true where file 
> > > > > > servers (e.g.,
> > > > > > Samba) are
> > > > > > typically placed in Resource domains and expected to use 
> > > > > > Authentication domains for authenticating users 
> connecting to 
> > > > > > shares.
> > > > >
> > > > > Does anybody use the concept of resource domains vs. 
> > > > > authentication domains in an Active Directory environment? I 
> > > > > thought AD obviated the need for that since the 
> Active Directory 
> > > > > can scale much more than the NT4 SAM could.
> > > > >
> > > > > That said, I have been having similar problems to Ken. 
> > > > > Especially if I have a tree-root transitive trusts i.e. 
> > > > > (a-test.dom b-test.dom and c-test.dom). a-test.dom is the 
> > > > > operations master for everything (RID allocation, PDC 
> Emulator, 
> > > > > and Infrastructure). If samba joins a-test.dom 
> clients from all 
> > > > > domains can authenticate to a-test.dom. If a Samba box joins 
> > > > > b-test.dom than it will not be able to lookup sequence for 
> > > > > c-test.dom.
> > > > >
> > > > > So the problem I've seen (though it's been a while since I've 
> > > > > worked on
> > > > > this) is that tree-root transitive trusts have a problem, but 
> > > > > parent-child trusts work fine.
> > > > >
> > > > > 				-Marc
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Ken Cross [mailto:kcross at nssolutions.com]
> > > > > > Sent: Thursday, July 17, 2003 10:33 AM
> > > > > > To: 'Multiple recipients of list SAMBA-TECHNICAL'
> > > > > > Subject: RE: Authentication through transitive trusts
> > > > > >
> > > > > >
> > > > > > Samba-folk:
> > > > > >
> > > > > > On further investigation, apparently Samba 3.0 cannot (and 
> > > > > > will not in the near future) be able to authenticate through
> > >
> > > transitive
> > >
> > > > trusts.  For
> > > >
> > > > > > example, in a simple AD forest:
> > > > > >
> > > > > >   PARENT
> > > > > >
> > > > > >     +-> CHILD1
> > > > > >     +-> CHILD2
> > > > > >
> > > > > > If Samba joins PARENT, it can authenticate against 
> any server. 
> > > > > > But if it joins CHILD1 or CHILD2, it cannot
> > >
> > > authenticate against
> > >
> > > > > > the other child,
> > > > > > which is connected via a transitive trust.  You 
> must set up an 
> > > > > > explicit trust between CHILD1 and CHILD2.
> > > > > >
> > > > > > The reason is simple: you need Kerberos authentication for
> > > > >
> > > > > it to work.
> > > > >
> > > > > > Samba doesn't use Kerberos for anything except its
> > > >
> > > > machine account,
> > > >
> > > > > > and I'm not aware of anything in the works to use
> > > >
> > > > Kerberos for user
> > > >
> > > > > > authentication.
> > > > > >
> > > > > > This is a Big Deal for using Samba in enterprise systems. 
> > > > > > Transitive trusts relieve the admin of having to
> > >
> > > maintain tons of
> > >
> > > > > > trust relationships.  But
> > > > > > Samba can't use them, which makes it much tougher 
> to integrate 
> > > > > > into a large AD forest.  This is especially true where file 
> > > > > > servers (e.g.,
> > > > > > Samba) are
> > > > > > typically placed in Resource domains and expected to use 
> > > > > > Authentication domains for authenticating users 
> connecting to 
> > > > > > shares.
> > > > > >
> > > > > > This is as of SAMBA_3_0 Beta 3.
> > > > > >
> > > > > > I'm not bitching -- just making people aware.  (If I'm
> > > >
> > > > wrong, I'd be
> > > >
> > > > > > *delighted* -- please correct me!)
> > > > > >
> > > > > > Thanks,
> > > > > > Ken
> > > > > > ________________________________
> > > > > >
> > > > > > Ken Cross
> > > > > >
> > > > > > Network Storage Solutions
> > > > > > Phone 865.675.4070 ext 31
> > > > > > kcross at nssolutions.com
> 




More information about the samba-technical mailing list