[Samba] Samba3 Trust Relationships?

K. Hawkes k.hawkes at darknyte.force9.co.uk
Mon Mar 22 19:08:27 GMT 2004 

Hey all,

After setting up a migration server (a server which
will act as a test for a Samba 3.x environment), so
we can make sure our migration from Samba 2.2.x
to 3.x goes as smoothly as possible, I've hit upon
a problem, now I am not sure whether this is the
fault of Samba (my configuration) or NT4 or
whether this is infact designed behaviour for
both/either servers. I'd like to overcome the
problem if it's possible but I am not sure how.

Systems :
    1x NT4 PDC (NTDOM)
    2x W2K Workstations - SP4 - no additional patches.
    1x Samba3 PDC (SMBDOM) - Running RH9 (samba-3.0.2a)

I have set up a one-way trust between NTDOM and SMBDOM
so that users on NTDOM joined PC's can connect and login
to both networks, but those connected to SMBDOM can only
login to SMBDOM domain, not both domains as NTDOM connected
PC's can do.

The problem itself (if you can call it a problem) is this :
I have a selection of users on both PDCs. The user I am testing with
this is called 'keith', he exists on both PDCs but has different
passwords. Is a Domain User on both PDCs, has permissions to both
his profile share and home-directory share on both PDCs.

On the UNIX side, he is a member of UNIX group 'users' which
maps to 'Domain Users'. On NT, he is a member of Domain Users.

If I login to NTDOM as keith and then perform a NET USE to a
share on SMBDOM, it asks me for the password for access to the
resource. This is the problem, I, and my colleagues were under the
impression that a trust relationship would allow a user on NTDOM
to access resources on SMBDOM regardless of their account status
on SMBDOM.

The NET USE command is done like so :
NET USE X: \\SAMBA3\WORK (Keith's Home Dir on SMBDOM).

It asks for the password for this. I have a feeling this is designed
behaviour but I am unsure what to do to PREVENT it asking for the
password. Security on shares isn't really a problem as no-one can
access anothers' home directory or profile directory, only those in
UNIX group 'domadm' which maps to Domain Admins have access to
any profile or home directory. Most other shares on the server are
public, you must be a member of group 'users' or 'staff' to access
them.

If anyone has any ideas or suggestions or can help in any way I'd
be most appreciative.

Thanking you all in advance,

Mr. K. Hawkes

"What we do in life echoes in eternity." - Anon
"You look back upon choices you've made, you wonder 'what if' and wonder if
you should have done it differently... but then you'd not be you anymore,
you'd be someone else, asking the same set of questions." - Anon

More information about the samba mailing list