Authentication through transitive trusts

Chere Zhou qzhou at isilon.com
Thu Jul 17 22:18:38 GMT 2003


Hmm, I see.  Now I joined samba into c.b.a.com, and I got sequence numbers 
for c.b.a.com and b.a.com only.  I am on the same page as both of you now.
This is a surprise bite for me.


On Thursday 17 July 2003 02:43 pm, Marc Kaplan wrote:
> Chere,
>
> I agree with you, that works. But now try joining c.b.a.com -- you will
> only get the users from c.b.a.com and b.a.com, but not a.com. This is the
> problem that Ken and I are both having.
>
> Ken if it's any comfort (I doubt it) it's been in our bug tracking system
> here for a year :)
>
> 			-Marc
>
> > -----Original Message-----
> > From: Chere Zhou [mailto:qzhou at isilon.com]
> > Sent: Thursday, July 17, 2003 2:52 PM
> > To: Ken Cross; Marc Kaplan; 'Multiple recipients of list
> > SAMBA-TECHNICAL'
> > Subject: Re: Authentication through transitive trusts
> >
> >
> > I just checked with my 3.0alpha21 installation.  I have samba
> > joined a.com,
> > and there are b.a.com and c.b.a.com.  There is a sequence number for
> > c.b.a.com, and wbinfo -u lists c.b.a.com users too.   I can
> > also connect to
> > samba box as a user in c.b.a.com.   Something in the current
> > code that broke
> > it?    I do not have across root trusts right now to test with though.
> >
> > On Thursday 17 July 2003 02:18 pm, Ken Cross wrote:
> > > I think they're the same issue.
> > >
> > > No, you don't see the sequence numbers for any except the
> >
> > parent or child.
> >
> > > No, you can't authenticate to anything except the parent or child.
> > >
> > > Ken
> > > ________________________________
> > >
> > > Ken Cross
> > >
> > > Network Storage Solutions
> > > Phone 865.675.4070 ext 31
> > > kcross at nssolutions.com
> > >
> > > > -----Original Message-----
> > > > From: Marc Kaplan [mailto:MKaplan at snapappliance.com]
> > > > Sent: Thursday, July 17, 2003 5:15 PM
> > > > To: 'Ken Cross'; 'Multiple recipients of list SAMBA-TECHNICAL'
> > > > Subject: RE: Authentication through transitive trusts
> > > >
> > > >
> > > > Ken,
> > > >
> > > > So if you have:
> > > > a.test
> > > > 	b.a.test
> > > > 		c.b.a.test
> > > >
> > > > And you join c.b.a.test do you get a sequence number from
> > > > a.test? I just want to find out if we're talking about the
> > > > same thing(My issue is before a client can even try to
> > > > authenticate -- we don't get the users/groups).
> > > >
> > > > It sounds to me like your issue is authentication, which is a
> > > > step after mine...
> > > >
> > > > 			-Marc
> > > >
> > > > > -----Original Message-----
> > > > > From: Ken Cross [mailto:kcross at nssolutions.com]
> > > > > Sent: Thursday, July 17, 2003 2:10 PM
> > > > > To: Marc Kaplan; 'Multiple recipients of list SAMBA-TECHNICAL'
> > > > > Subject: RE: Authentication through transitive trusts
> > > > >
> > > > >
> > > > > You're right, of course, about the "need" for
> > > >
> > > > Resource/Authentication
> > > >
> > > > > domains in AD.  That's a holdover from NT domains, but they
> > > >
> > > > are still
> > > >
> > > > > very common.
> > > > >
> > > > > A parent-child trust works OK, but a parent-grandchild
> > > >
> > > > trust doesn't.
> > > >
> > > > > Anywhere that it isn't a direct parent-child connection
> > > >
> > > > seems to fail.
> > > >
> > > > > Ken
> > > > > ________________________________
> > > > >
> > > > > Ken Cross
> > > > >
> > > > > Network Storage Solutions
> > > > > Phone 865.675.4070 ext 31
> > > > > kcross at nssolutions.com
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Marc Kaplan [mailto:MKaplan at snapappliance.com]
> > > > > > Sent: Thursday, July 17, 2003 5:06 PM
> > > > > > To: 'Ken Cross'; 'Multiple recipients of list SAMBA-TECHNICAL'
> > > > > > Subject: RE: Authentication through transitive trusts
> > > > > >
> > > > > > Ken wrote:
> > > > > > > This is a Big Deal for using Samba in enterprise systems.
> > > > > > > Transitive trusts relieve the admin of having to
> > > >
> > > > maintain tons of
> > > >
> > > > > > > trust relationships.  But
> > > > > > > Samba can't use them, which makes it much tougher to
> > > > > > > integrate into a large
> > > > > > > AD forest.  This is especially true where file
> >
> > servers (e.g.,
> >
> > > > > > > Samba) are
> > > > > > > typically placed in Resource domains and expected to use
> > > > > > > Authentication
> > > > > > > domains for authenticating users connecting to shares.
> > > > > >
> > > > > > Does anybody use the concept of resource domains vs.
> > > > > > authentication domains in an Active Directory environment? I
> > > > > > thought AD obviated the need for that since the Active
> > > > > > Directory can scale much more than the NT4 SAM could.
> > > > > >
> > > > > > That said, I have been having similar problems to Ken.
> > > > > > Especially if I have a tree-root transitive trusts i.e.
> > > > > > (a-test.dom b-test.dom and c-test.dom). a-test.dom is the
> > > > > > operations master for everything (RID allocation, PDC
> > > > > > Emulator, and Infrastructure). If samba joins a-test.dom
> > > > > > clients from all domains can authenticate to a-test.dom. If a
> > > > > > Samba box joins b-test.dom than it will not be able to lookup
> > > > > > sequence for c-test.dom.
> > > > > >
> > > > > > So the problem I've seen (though it's been a while since I've
> > > > > > worked on
> > > > > > this) is that tree-root transitive trusts have a problem, but
> > > > > > parent-child trusts work fine.
> > > > > >
> > > > > > 				-Marc
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Ken Cross [mailto:kcross at nssolutions.com]
> > > > > > > Sent: Thursday, July 17, 2003 10:33 AM
> > > > > > > To: 'Multiple recipients of list SAMBA-TECHNICAL'
> > > > > > > Subject: RE: Authentication through transitive trusts
> > > > > > >
> > > > > > >
> > > > > > > Samba-folk:
> > > > > > >
> > > > > > > On further investigation, apparently Samba 3.0
> >
> > cannot (and will
> >
> > > > > > > not in the near future) be able to authenticate through
> > > >
> > > > transitive
> > > >
> > > > > trusts.  For
> > > > >
> > > > > > > example, in a simple AD forest:
> > > > > > >
> > > > > > >   PARENT
> > > > > > >
> > > > > > >     +-> CHILD1
> > > > > > >     +-> CHILD2
> > > > > > >
> > > > > > > If Samba joins PARENT, it can authenticate against
> >
> > any server.
> >
> > > > > > > But if it joins CHILD1 or CHILD2, it cannot
> > > >
> > > > authenticate against
> > > >
> > > > > > > the other child,
> > > > > > > which is connected via a transitive trust.  You must set up
> > > > > > > an explicit
> > > > > > > trust between CHILD1 and CHILD2.
> > > > > > >
> > > > > > > The reason is simple: you need Kerberos authentication for
> > > > > >
> > > > > > it to work.
> > > > > >
> > > > > > > Samba doesn't use Kerberos for anything except its
> > > > >
> > > > > machine account,
> > > > >
> > > > > > > and I'm not aware of anything in the works to use
> > > > >
> > > > > Kerberos for user
> > > > >
> > > > > > > authentication.
> > > > > > >
> > > > > > > This is a Big Deal for using Samba in enterprise systems.
> > > > > > > Transitive trusts relieve the admin of having to
> > > >
> > > > maintain tons of
> > > >
> > > > > > > trust relationships.  But
> > > > > > > Samba can't use them, which makes it much tougher to
> > > > > > > integrate into a large
> > > > > > > AD forest.  This is especially true where file
> >
> > servers (e.g.,
> >
> > > > > > > Samba) are
> > > > > > > typically placed in Resource domains and expected to use
> > > > > > > Authentication
> > > > > > > domains for authenticating users connecting to shares.
> > > > > > >
> > > > > > > This is as of SAMBA_3_0 Beta 3.
> > > > > > >
> > > > > > > I'm not bitching -- just making people aware.  (If I'm
> > > > >
> > > > > wrong, I'd be
> > > > >
> > > > > > > *delighted* -- please correct me!)
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Ken
> > > > > > > ________________________________
> > > > > > >
> > > > > > > Ken Cross
> > > > > > >
> > > > > > > Network Storage Solutions
> > > > > > > Phone 865.675.4070 ext 31
> > > > > > > kcross at nssolutions.com



More information about the samba-technical mailing list