Authentication through transitive trusts

Antti Andreimann Antti.Andreimann at mail.ee
Sun Jul 20 03:25:17 GMT 2003 

Ken Cross wrote:

> Keep in mind that the origin of this issue was the fact that transitive
> trusts weren't being followed.

Well they are followed and AFAIK IF and only IF kerberos authentication
works and the configuration option "allow trusted domains" is set (defaults
to yes).
However there is another painful obstacle in using transitive trusts with
samba: Account naming.
If the principial of incoming user is not from the realm samba is configured
to be part of, the username takes the form: REALM\user.
Now it is close to impossible to tell samba that those users should be
considered local as well (take a form "user" instead of "REALM\user")
without patching the code.
When You have a system set up such that user accounts are in forest
account.ad.local and file servers are in resource.ad.local and there is
transitive trust between those two, then You have a problem: all users are
considered foreign and their names take the form ACCOUNT.AD.LOCAL\user.
I do not know for winbind users but for people who use unix accounts that
have the same name as their respective accounts in AD are in big trouble
here. The only solution is to map those users via smbusers file (that did
not work as well, but this was easy to fix), however it needs an entry for
each and every user that is not a very good idea IMO.

Now there are three ways to solve this issue:
1. We treat users from "trusted" realms exactly the same way as we treat
users from our own realm. This is at first we try with REALM\username and
if this fails with username.
2. We add an configuration option to list the realms which should be
considered "local" and then do the same only for users that come from those
"local" realms.
3. We add regular expression match and replacement features to smbusers
mapping. So we could write something like this into smbusers file:
{r} $1 = ACCOUNT.AD.LOCAL\\(.+)
{r} $1 = ACCOUNT2.AD.LOCAL\\(.+)

I do agree, that having Your forest built up in such a way that splitting is
done via transitive trusts is a bad idea, but I think many people
converting from older NT4 networks to AD have similar setups and it's not
easy to convert to a "correct" AD forest at once. And transitive trust is
inevitable if You want to use non-M$ kerberos for user password storage.

Since I badly need this feature (I run an in-house patched daemon because of
this), I am willing to implement it in any way the community deems
appropriate.

-- 
             Antti Andreimann
        Using Linux since 1993
  Member of ELUG since 29.01.2000

More information about the samba-technical mailing list