Tree-Root Transitive Trusts and winbindd
Steven Danneman
steven.danneman at isilon.com
Wed Aug 19 17:20:32 MDT 2009
Hi Dave,
Thanks for the helpful info. In my setup the [capaths] configuration
works like a charm, even on MIT 1.4.1.
It is a manual configuration, but a better workaround than creating
explicit "shortcut" trusts between Domain B and Doman C as I was doing.
-Steven
> -----Original Message-----
> From: Dave Daugherty [mailto:dave.daugherty at centrify.com]
> Sent: Wednesday, August 19, 2009 10:51 AM
> To: Steven Danneman; samba-technical at samba.org
> Subject: RE: Tree-Root Transitive Trusts and winbindd
>
> Steven,
>
> For MIT Kerberos I have used the krb5.conf directive [capaths] to
> overcome issues with multiple roots in the same forest. The downside
is
> that it is a manual configuration process.
>
>
http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/capaths.h
> tml
>
> Dave Daugherty
>
> -----Original Message-----
> From: samba-technical-bounces at lists.samba.org
> [mailto:samba-technical-bounces at lists.samba.org] On Behalf Of Steven
> Danneman
> Sent: Wednesday, August 19, 2009 10:43 AM
> To: samba-technical at samba.org
> Subject: Tree-Root Transitive Trusts and winbindd
>
> Hello All,
>
> I've been doing a lot of investigation into how transitive tree-root
> trusts are handled by winbindd and I wanted to share my findings.
>
> A transitive tree-root trust is formed in the following scenario:
>
> Domain A - is a Forest Root domain
> Domain B - is a Tree Root domain in the same forest as Domain A
> Domain C - is a Tree Root domain in the same forest as Domain A
>
> Server - is a Samba file server joined to Domain B
> Client - is a Windows desktop client joined to Domain B
>
> In this scenario Domain A and Domain B have an explicit Tree-Root
trust
> relationship between them. The same explicit trust relationship
exists
> between Domain A and Domain C. An implicit transitive tree-root
trusts
> exists between Domain B and Domain C.
>
> The problem that started me on this investigation, was attempting to
> "net use" to the Server joined to Domain B from Client with
credentials
> of a user in Domain C. This should work, due to the implicit trust
> between them. However, in my setup it did not.
>
> I've tracked down the issue not to a bug in winbindd, but to the
feature
> set of the underlying krb5 client libraries. In order for the Server
to
> authenticate the user in Domain C, the Server must authenticate itself
> to Domain C to acquire user information via LDAP. This is done
through
> a series of Kerberos referral tickets as described in the following
> article:
>
> http://technet.microsoft.com/en-us/library/bb742516.aspx
>
> This chasing of referrals is handled by the Kerberos client library,
but
> as I found not completely implemented in MIT libkrb5 until version
1.7.
> All previous versions of MIT's libkrb5 don't handle this referral
chain
> properly, and thus cause a logon error in the scenario above.
>
> I haven't done any testing with Heimdal, so I'm unsure of what the
> results there are.
>
> My conclusion is if you need to support authentication from transitive
> tree-root trusts, you must build winbindd with MIT libkrb5 version
1.7.
> This is important as version is quite new and not yet included in many
> OS distributions.
>
> -Steven
More information about the samba-technical
mailing list