Authentication through transitive trusts

Marc Kaplan MKaplan at snapappliance.com
Fri Jul 18 17:04:36 GMT 2003 

Ken,

I looked at this again, and what I'm seeing is that Samba is successful
enumerating all of the sequence numbers, users, and groups from the
transitive trusts, but like you said -- client's cannot authenticate. I'm
seeing the same thing as you, Win2k client is using NTLMSSP rather than
Kerberos.  Though it is important to note that my Win2k clients from all
domains (not just transitive trusts) are using NTLMSSP to authenticate. I
need to go back an try this with the latest Samba, since I'm using a dated
version, but since you're seeing the same thing, I would guess that nothing
has changed.

win2k->win2k uses Kerberos, and win2k->nt4 users NTLMSSP, so it seems like
the win2k box thinks the Samba Server is a downlevel client (or at least
only supports NTLM).

			-Marc

> -----Original Message-----
> From: Ken Cross [mailto:kcross at nssolutions.com]
> Sent: Thursday, July 17, 2003 11:29 AM
> To: 'Steve Langasek'
> Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: RE: Authentication through transitive trusts
> 
> 
> Steve:
> 
> I think we're talking apples and oranges.
> 
> The "AD-enabled client" doesn't connect to the AD server, it 
> connects to
> Samba.  And unless I'm badly mistaken (which I'd *love* to 
> be), the client
> does not use Kerberos to connect to Samba, it uses NTLM.  
> (NTLMSSP? SPNEGO?)
> 
> Hence, Samba passes the NTLM info to the AD server for 
> authentication.  That
> doesn't make it through transitive trusts, only explicit trusts.  :-(
> 
> Or more simply: have you ever seen a user connect to a Samba share by
> authenticating through a transitive trust?  
> 
> In the example below, if Samba joins CHILD1, I cannot find 
> any way for a
> user to connect to a Samba share using an account on CHILD2 (e.g.,
> CHILD2\Username) unless an explicit trust is set up between CHILD1 and
> CHILD2.
> 
> Clear as mud?
> 
> Ken
> ________________________________
> 
> Ken Cross
> 
> Network Storage Solutions
> Phone 865.675.4070 ext 31
> kcross at nssolutions.com 
> 
> > -----Original Message-----
> > From: Steve Langasek [mailto:vorlon at netexpress.net] 
> > Sent: Thursday, July 17, 2003 2:11 PM
> > To: Ken Cross
> > Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> > Subject: Re: Authentication through transitive trusts
> > 
> > 
> > On Thu, Jul 17, 2003 at 01:33:05PM -0400, Ken Cross wrote:
> > > Samba-folk:
> > 
> > > On further investigation, apparently Samba 3.0 cannot (and 
> > will not in 
> > > the near future) be able to authenticate through transitive 
> > trusts.  
> > > For example, in a simple AD forest:
> > 
> > >   PARENT
> > >     |
> > >     +-> CHILD1
> > >     +-> CHILD2
> > 
> > > If Samba joins PARENT, it can authenticate against any 
> > server.  But if 
> > > it joins CHILD1 or CHILD2, it cannot authenticate against 
> the other 
> > > child, which is connected via a transitive trust.  You must 
> > set up an 
> > > explicit trust between CHILD1 and CHILD2.
> > 
> > > The reason is simple: you need Kerberos authentication for 
> > it to work. 
> > > Samba doesn't use Kerberos for anything except its 
> machine account, 
> > > and
> > I'm
> > > not aware of anything in the works to use Kerberos for user
> > authentication.
> > 
> > > This is a Big Deal for using Samba in enterprise systems.  
> > Transitive
> > trusts
> > > relieve the admin of having to maintain tons of trust 
> > relationships.  
> > > But Samba can't use them, which makes it much tougher to 
> integrate 
> > > into a
> > large
> > > AD forest.  This is especially true where file servers 
> > (e.g., Samba) 
> > > are typically placed in Resource domains and expected to use 
> > > Authentication domains for authenticating users connecting 
> > to shares.
> > 
> > > This is as of SAMBA_3_0 Beta 3.
> > 
> > It's very unlikely that this is a Kerberos problem; by the 
> > time the AD-enabled client connects to the server, the realm 
> > transiting has already been taken care of among the AD 
> > servers, and the client has been issued a service ticket 
> > which must be valid for this Samba server.  If you're seeing 
> > problems with Samba as a server being unable to field 
> > requests from foreign AD clients, I think this is likely to 
> > be either an issue with LDAP-based resolution of foreign 
> > SIDs, or a side-effect of the recent winbind idmap changes 
> > between beta2 and beta3.
> > 
> > -- 
> > Steve Langasek
> > postmodern programmer
> > 
>

More information about the samba-technical mailing list