FIxed [was Re: Authentication through transitive trusts]
kcross at nssolutions.com
Thu Jul 31 21:05:11 GMT 2003
Jerry et al:
THANK YOU for your efforts! Here's what I've discovered so far with this
+-- CAMP (mixed-mode)
+-- KAMA (mixed-mode)
+-- JAYA (native-mode)
I know you said it must be native mode, but the DCs I was using were mixed
mode so I did some testing there first (once you change to native mode, you
can't go back). I had 2 mixed-mode DCs that are both Win2000 SP3.
The mixed-mode DCs basically acted like previous builds except that
enumerating users/groups showed them from all transitive trusts if "Allow
trusted domains" is enabled. That's nice. Authentication works as before,
i.e., authenticates against the DC and its parent.
wbinfo -m shows the same (self and parent), but wbinfo --sequence shows
sequence numbers from transitive trusts, too (if "Allow trusted domains" is
If "Allow trusted domains" is enabled, all users/groups on all transitive
trusts are displayed. Authentication works on all transitive trusts. Yea!
If "Allow trusted domains" is disabled, only users/groups in the domain
joined show up. Also, authentication only works on the joined domain.
Is that how it *should* work? Is there any way to enumerate users/groups
from the joined domain but authenticate against any domain?
We have a customer with 650+ domains. Clearly, enumerating all those
suckers will be painful. But if we join a "resource" domain, we'd want to
be able to authenticate against an "authentication" domain (that has all the
Also, do you think working with mixed-mode DCs is feasible?
Regardless, it's a big step forward -- thanks again.
Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com
> -----Original Message-----
> From: Gerald (Jerry) Carter [mailto:jerry at samba.org]
> Sent: Thursday, July 31, 2003 2:39 AM
> To: Ken Cross
> Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: FIxed [was Re: Authentication through transitive trusts]
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Mon, 14 Jul 2003, Ken Cross wrote:
> > Samba-folk:
> > I'm having trouble authenticating through transitive trusts
> other than
> > parent-child configurations.
> > I have an Active Directory with SUPTRA at the top and 2 other AD
> > servers, KAMA and CAMP, so KAMA and CAMP have an implicit
> > trust.
> > 1. If Samba joins SUPTRA (the top), it can authenticate against any
> > domain.
> > 2. If Samba joins KAMA, it can authenticate against KAMA and/or
> > SUPTRA, but not CAMP. wbinfo -u shows users from all 3
> servers, but
> > wbinfo -m only shows SUPTRA.
> > If I set up an explicit 2-way trust between KAMA and CAMP,
> > authenticates OK. That's not practical in larger
> enterprises, though.
> > Is there some trick to using transitive trusts (SAMBA_3_0)?
> I think I've fixed this in winbindd in the lates SAMBA_3_0 cvs code.
> Would you mind testing it an letting me know? Only catch is
> the domain
> the Samba box is joined to has to be a native mode domain.
> Doesn't matter for the others.
> We might still have problems with getting a wk/xp client to use
> kerberos to authenticate but that doesn't stopthe trusts from
> working. I tested your exact scenario and several others and
> everything seemed to work out ok.
> cheers, jerry
> Hewlett-Packard -------------------------
SAMBA Team ---------------------- http://www.samba.org
GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc
"You can never go home again, Oatman, but I guess you can shop there."
--John Cusack - "Grosse Point Blank" (1997)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
-----END PGP SIGNATURE-----
More information about the samba-technical