FIxed [was Re: Authentication through transitive trusts]
Ken Cross
kcross at nssolutions.com
Thu Jul 31 21:05:11 GMT 2003
Jerry et al:
THANK YOU for your efforts! Here's what I've discovered so far with this
setup:
PARENT
+-- CAMP (mixed-mode)
+-- KAMA (mixed-mode)
+-- JAYA (native-mode)
Mixed-mode DCs
I know you said it must be native mode, but the DCs I was using were mixed
mode so I did some testing there first (once you change to native mode, you
can't go back). I had 2 mixed-mode DCs that are both Win2000 SP3.
The mixed-mode DCs basically acted like previous builds except that
enumerating users/groups showed them from all transitive trusts if "Allow
trusted domains" is enabled. That's nice. Authentication works as before,
i.e., authenticates against the DC and its parent.
wbinfo -m shows the same (self and parent), but wbinfo --sequence shows
sequence numbers from transitive trusts, too (if "Allow trusted domains" is
enabled).
Native-mode DCs
If "Allow trusted domains" is enabled, all users/groups on all transitive
trusts are displayed. Authentication works on all transitive trusts. Yea!
If "Allow trusted domains" is disabled, only users/groups in the domain
joined show up. Also, authentication only works on the joined domain.
Wish List
Is that how it *should* work? Is there any way to enumerate users/groups
from the joined domain but authenticate against any domain?
We have a customer with 650+ domains. Clearly, enumerating all those
suckers will be painful. But if we join a "resource" domain, we'd want to
be able to authenticate against an "authentication" domain (that has all the
user accounts).
Also, do you think working with mixed-mode DCs is feasible?
Regardless, it's a big step forward -- thanks again.
Ken
________________________________
Ken Cross
Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com
> -----Original Message-----
> From: Gerald (Jerry) Carter [mailto:jerry at samba.org]
> Sent: Thursday, July 31, 2003 2:39 AM
> To: Ken Cross
> Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: FIxed [was Re: Authentication through transitive trusts]
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, 14 Jul 2003, Ken Cross wrote:
>
> > Samba-folk:
> >
> > I'm having trouble authenticating through transitive trusts
> other than
> > parent-child configurations.
> >
> > I have an Active Directory with SUPTRA at the top and 2 other AD
> > servers, KAMA and CAMP, so KAMA and CAMP have an implicit
> transitive
> > trust.
> >
> > 1. If Samba joins SUPTRA (the top), it can authenticate against any
> > domain.
> >
> > 2. If Samba joins KAMA, it can authenticate against KAMA and/or
> > SUPTRA, but not CAMP. wbinfo -u shows users from all 3
> servers, but
> > wbinfo -m only shows SUPTRA.
> >
> > If I set up an explicit 2-way trust between KAMA and CAMP,
> everything
> > authenticates OK. That's not practical in larger
> enterprises, though.
> >
> > Is there some trick to using transitive trusts (SAMBA_3_0)?
>
> I think I've fixed this in winbindd in the lates SAMBA_3_0 cvs code.
> Would you mind testing it an letting me know? Only catch is
> the domain
> the Samba box is joined to has to be a native mode domain.
> Doesn't matter for the others.
>
> We might still have problems with getting a wk/xp client to use
> kerberos to authenticate but that doesn't stopthe trusts from
> working. I tested your exact scenario and several others and
> everything seemed to work out ok.
>
>
>
>
> cheers, jerry
>
> ----------------------------------------------------------------------
> Hewlett-Packard -------------------------
http://www.hp.com
SAMBA Team ---------------------- http://www.samba.org
GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc
"You can never go home again, Oatman, but I guess you can shop there."
--John Cusack - "Grosse Point Blank" (1997)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQE/KLmCIR7qMdg1EfYRAmHJAJ94awZQ4Ls9wzlltL4l4lMOaQbRsgCeJQFb
CocrYNYyC92eW2O10G5x1Fk=
=9yV2
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list