Authentication through transitive trusts

Marc Kaplan MKaplan at snapappliance.com
Thu Jul 17 21:43:24 GMT 2003


Chere,

I agree with you, that works. But now try joining c.b.a.com -- you will only
get the users from c.b.a.com and b.a.com, but not a.com. This is the problem
that Ken and I are both having.

Ken if it's any comfort (I doubt it) it's been in our bug tracking system
here for a year :)

			-Marc

> -----Original Message-----
> From: Chere Zhou [mailto:qzhou at isilon.com]
> Sent: Thursday, July 17, 2003 2:52 PM
> To: Ken Cross; Marc Kaplan; 'Multiple recipients of list
> SAMBA-TECHNICAL'
> Subject: Re: Authentication through transitive trusts
> 
> 
> I just checked with my 3.0alpha21 installation.  I have samba 
> joined a.com, 
> and there are b.a.com and c.b.a.com.  There is a sequence number for 
> c.b.a.com, and wbinfo -u lists c.b.a.com users too.   I can 
> also connect to 
> samba box as a user in c.b.a.com.   Something in the current 
> code that broke 
> it?    I do not have across root trusts right now to test with though.
> 
> 
> On Thursday 17 July 2003 02:18 pm, Ken Cross wrote:
> > I think they're the same issue.
> >
> > No, you don't see the sequence numbers for any except the 
> parent or child.
> > No, you can't authenticate to anything except the parent or child.
> >
> > Ken
> > ________________________________
> >
> > Ken Cross
> >
> > Network Storage Solutions
> > Phone 865.675.4070 ext 31
> > kcross at nssolutions.com
> >
> > > -----Original Message-----
> > > From: Marc Kaplan [mailto:MKaplan at snapappliance.com]
> > > Sent: Thursday, July 17, 2003 5:15 PM
> > > To: 'Ken Cross'; 'Multiple recipients of list SAMBA-TECHNICAL'
> > > Subject: RE: Authentication through transitive trusts
> > >
> > >
> > > Ken,
> > >
> > > So if you have:
> > > a.test
> > > 	b.a.test
> > > 		c.b.a.test
> > >
> > > And you join c.b.a.test do you get a sequence number from
> > > a.test? I just want to find out if we're talking about the
> > > same thing(My issue is before a client can even try to
> > > authenticate -- we don't get the users/groups).
> > >
> > > It sounds to me like your issue is authentication, which is a
> > > step after mine...
> > >
> > > 			-Marc
> > >
> > > > -----Original Message-----
> > > > From: Ken Cross [mailto:kcross at nssolutions.com]
> > > > Sent: Thursday, July 17, 2003 2:10 PM
> > > > To: Marc Kaplan; 'Multiple recipients of list SAMBA-TECHNICAL'
> > > > Subject: RE: Authentication through transitive trusts
> > > >
> > > >
> > > > You're right, of course, about the "need" for
> > >
> > > Resource/Authentication
> > >
> > > > domains in AD.  That's a holdover from NT domains, but they
> > >
> > > are still
> > >
> > > > very common.
> > > >
> > > > A parent-child trust works OK, but a parent-grandchild
> > >
> > > trust doesn't.
> > >
> > > > Anywhere that it isn't a direct parent-child connection
> > >
> > > seems to fail.
> > >
> > > > Ken
> > > > ________________________________
> > > >
> > > > Ken Cross
> > > >
> > > > Network Storage Solutions
> > > > Phone 865.675.4070 ext 31
> > > > kcross at nssolutions.com
> > > >
> > > > > -----Original Message-----
> > > > > From: Marc Kaplan [mailto:MKaplan at snapappliance.com]
> > > > > Sent: Thursday, July 17, 2003 5:06 PM
> > > > > To: 'Ken Cross'; 'Multiple recipients of list SAMBA-TECHNICAL'
> > > > > Subject: RE: Authentication through transitive trusts
> > > > >
> > > > > Ken wrote:
> > > > > > This is a Big Deal for using Samba in enterprise systems.
> > > > > > Transitive trusts relieve the admin of having to
> > >
> > > maintain tons of
> > >
> > > > > > trust relationships.  But
> > > > > > Samba can't use them, which makes it much tougher to
> > > > > > integrate into a large
> > > > > > AD forest.  This is especially true where file 
> servers (e.g.,
> > > > > > Samba) are
> > > > > > typically placed in Resource domains and expected to use
> > > > > > Authentication
> > > > > > domains for authenticating users connecting to shares.
> > > > >
> > > > > Does anybody use the concept of resource domains vs.
> > > > > authentication domains in an Active Directory environment? I
> > > > > thought AD obviated the need for that since the Active
> > > > > Directory can scale much more than the NT4 SAM could.
> > > > >
> > > > > That said, I have been having similar problems to Ken.
> > > > > Especially if I have a tree-root transitive trusts i.e.
> > > > > (a-test.dom b-test.dom and c-test.dom). a-test.dom is the
> > > > > operations master for everything (RID allocation, PDC
> > > > > Emulator, and Infrastructure). If samba joins a-test.dom
> > > > > clients from all domains can authenticate to a-test.dom. If a
> > > > > Samba box joins b-test.dom than it will not be able to lookup
> > > > > sequence for c-test.dom.
> > > > >
> > > > > So the problem I've seen (though it's been a while since I've
> > > > > worked on
> > > > > this) is that tree-root transitive trusts have a problem, but
> > > > > parent-child trusts work fine.
> > > > >
> > > > > 				-Marc
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Ken Cross [mailto:kcross at nssolutions.com]
> > > > > > Sent: Thursday, July 17, 2003 10:33 AM
> > > > > > To: 'Multiple recipients of list SAMBA-TECHNICAL'
> > > > > > Subject: RE: Authentication through transitive trusts
> > > > > >
> > > > > >
> > > > > > Samba-folk:
> > > > > >
> > > > > > On further investigation, apparently Samba 3.0 
> cannot (and will
> > > > > > not in the near future) be able to authenticate through
> > >
> > > transitive
> > >
> > > > trusts.  For
> > > >
> > > > > > example, in a simple AD forest:
> > > > > >
> > > > > >   PARENT
> > > > > >
> > > > > >     +-> CHILD1
> > > > > >     +-> CHILD2
> > > > > >
> > > > > > If Samba joins PARENT, it can authenticate against 
> any server.
> > > > > > But if it joins CHILD1 or CHILD2, it cannot
> > >
> > > authenticate against
> > >
> > > > > > the other child,
> > > > > > which is connected via a transitive trust.  You must set up
> > > > > > an explicit
> > > > > > trust between CHILD1 and CHILD2.
> > > > > >
> > > > > > The reason is simple: you need Kerberos authentication for
> > > > >
> > > > > it to work.
> > > > >
> > > > > > Samba doesn't use Kerberos for anything except its
> > > >
> > > > machine account,
> > > >
> > > > > > and I'm not aware of anything in the works to use
> > > >
> > > > Kerberos for user
> > > >
> > > > > > authentication.
> > > > > >
> > > > > > This is a Big Deal for using Samba in enterprise systems.
> > > > > > Transitive trusts relieve the admin of having to
> > >
> > > maintain tons of
> > >
> > > > > > trust relationships.  But
> > > > > > Samba can't use them, which makes it much tougher to
> > > > > > integrate into a large
> > > > > > AD forest.  This is especially true where file 
> servers (e.g.,
> > > > > > Samba) are
> > > > > > typically placed in Resource domains and expected to use
> > > > > > Authentication
> > > > > > domains for authenticating users connecting to shares.
> > > > > >
> > > > > > This is as of SAMBA_3_0 Beta 3.
> > > > > >
> > > > > > I'm not bitching -- just making people aware.  (If I'm
> > > >
> > > > wrong, I'd be
> > > >
> > > > > > *delighted* -- please correct me!)
> > > > > >
> > > > > > Thanks,
> > > > > > Ken
> > > > > > ________________________________
> > > > > >
> > > > > > Ken Cross
> > > > > >
> > > > > > Network Storage Solutions
> > > > > > Phone 865.675.4070 ext 31
> > > > > > kcross at nssolutions.com
> 



More information about the samba-technical mailing list