FIxed [was Re: Authentication through transitive trusts]

Ken Cross kcross at nssolutions.com
Thu Jul 31 21:05:11 GMT 2003 

Jerry et al:

THANK YOU for your efforts!  Here's what I've discovered so far with this
setup:


 PARENT
  +-- CAMP (mixed-mode)
  +-- KAMA (mixed-mode)
       +-- JAYA (native-mode)


Mixed-mode DCs

I know you said it must be native mode, but the DCs I was using were mixed
mode so I did some testing there first (once you change to native mode, you
can't go back).  I had 2 mixed-mode DCs that are both Win2000 SP3.

The mixed-mode DCs basically acted like previous builds except that
enumerating users/groups showed them from all transitive trusts if "Allow
trusted domains" is enabled.  That's nice.  Authentication works as before,
i.e., authenticates against the DC and its parent.  

wbinfo -m shows the same (self and parent), but wbinfo --sequence shows
sequence numbers from transitive trusts, too (if "Allow trusted domains" is
enabled).


Native-mode DCs

If "Allow trusted domains" is enabled, all users/groups on all transitive
trusts are displayed.  Authentication works on all transitive trusts.  Yea!

If "Allow trusted domains" is disabled, only users/groups in the domain
joined show up.  Also, authentication only works on the joined domain.


Wish List

Is that how it *should* work?  Is there any way to enumerate users/groups
from the joined domain but authenticate against any domain?

We have a customer with 650+ domains.  Clearly, enumerating all those
suckers will be painful.  But if we join a "resource" domain, we'd want to
be able to authenticate against an "authentication" domain (that has all the
user accounts).

Also, do you think working with mixed-mode DCs is feasible?


Regardless, it's a big step forward -- thanks again.  


Ken
________________________________

Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com 

> -----Original Message-----
> From: Gerald (Jerry) Carter [mailto:jerry at samba.org]
> Sent: Thursday, July 31, 2003 2:39 AM
> To: Ken Cross
> Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: FIxed [was Re: Authentication through transitive trusts]
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Mon, 14 Jul 2003, Ken Cross wrote:
> 
> > Samba-folk:
> > 
> > I'm having trouble authenticating through transitive trusts
> other than
> > parent-child configurations.
> > 
> > I have an Active Directory with SUPTRA at the top and 2 other AD
> > servers, KAMA and CAMP, so KAMA and CAMP have an implicit 
> transitive
> > trust.
> > 
> > 1. If Samba joins SUPTRA (the top), it can authenticate against any
> > domain.
> > 
> > 2. If Samba joins KAMA, it can authenticate against KAMA and/or
> > SUPTRA, but not CAMP.  wbinfo -u shows users from all 3 
> servers, but
> > wbinfo -m only shows SUPTRA.
> > 
> > If I set up an explicit 2-way trust between KAMA and CAMP,
> everything
> > authenticates OK.  That's not practical in larger
> enterprises, though.
> > 
> > Is there some trick to using transitive trusts (SAMBA_3_0)?
> 
> I think I've fixed this in winbindd in the lates SAMBA_3_0 cvs code.  
> Would you mind testing it an letting me know?   Only catch is 
> the domain
> the Samba box is joined to has to be a native mode domain.  
> Doesn't matter for the others.
> 
> We might still have problems with getting a wk/xp client to use
> kerberos to authenticate but that doesn't stopthe trusts from 
> working. I tested your exact scenario and several others and 
> everything seemed to work out ok.
> 
> 
> 
> 
> cheers, jerry
>  
> ----------------------------------------------------------------------
>  Hewlett-Packard            ------------------------- 
http://www.hp.com
 SAMBA Team                 ---------------------- http://www.samba.org
 GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
 "You can never go home again, Oatman, but I guess you can shop there."  
                            --John Cusack - "Grosse Point Blank" (1997)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE/KLmCIR7qMdg1EfYRAmHJAJ94awZQ4Ls9wzlltL4l4lMOaQbRsgCeJQFb
CocrYNYyC92eW2O10G5x1Fk=
=9yV2
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list