FIxed [was Re: Authentication through transitive trusts]

Gerald (Jerry) Carter jerry at samba.org
Thu Jul 31 06:38:44 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 14 Jul 2003, Ken Cross wrote:

> Samba-folk:
> 
> I'm having trouble authenticating through transitive trusts other than
> parent-child configurations.
> 
> I have an Active Directory with SUPTRA at the top and 2 other AD servers,
> KAMA and CAMP, so KAMA and CAMP have an implicit transitive trust.
> 
> 1. If Samba joins SUPTRA (the top), it can authenticate against any domain.
> 
> 2. If Samba joins KAMA, it can authenticate against KAMA and/or SUPTRA, but
> not CAMP.  wbinfo -u shows users from all 3 servers, but wbinfo -m only
> shows SUPTRA.
> 
> If I set up an explicit 2-way trust between KAMA and CAMP, everything
> authenticates OK.  That's not practical in larger enterprises, though.
> 
> Is there some trick to using transitive trusts (SAMBA_3_0)?

I think I've fixed this in winbindd in the lates SAMBA_3_0 cvs code.  
Would you mind testing it an letting me know?   Only catch is the domain 
the Samba box is joined to has to be a native mode domain.  Doesn't
matter for the others.

We might still have problems with getting a wk/xp client to use 
kerberos to authenticate but that doesn't stopthe trusts from working.
I tested your exact scenario and several others and everything seemed
to work out ok.




cheers, jerry
 ----------------------------------------------------------------------
 Hewlett-Packard            ------------------------- http://www.hp.com
 SAMBA Team                 ---------------------- http://www.samba.org
 GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
 "You can never go home again, Oatman, but I guess you can shop there."  
                            --John Cusack - "Grosse Point Blank" (1997)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE/KLmCIR7qMdg1EfYRAmHJAJ94awZQ4Ls9wzlltL4l4lMOaQbRsgCeJQFb
CocrYNYyC92eW2O10G5x1Fk=
=9yV2
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list