[Samba] Domain member, security = ADS|domain and trusts with NT4

Jonathan Johnson jon at sutinen.com
Thu Jul 12 19:26:42 GMT 2007

After extensive testing, the answer I come up with is "yes, and no."

Jonathan Johnson wrote:
> I presently have a Samba server (3.0.21b) set up as a member server in 
> an NT4 domain (with a real Windows NT4 PDC). We are migrating to an 
> Active Directory domain (with a real Windows 2003 domain controller).
> We have set up a two-way trust between the old NT4 domain "CLUNKY" and 
> the new ADS domain "SLEEK" (aka sleek.local). The Samba server is a 
> member of the CLUNKY domain (security = domain) and authentication is 
> against the PDC for the CLUNKY domain.
> How can I ensure that users in both CLUNKY and SLEEK can access the 
> Samba server? Will joining the Samba server to SLEEK with security = 
> ADS allow this? Will Samba honor the domain trust?
If a share is not restricted with "valid users =", then the user in 
SLEEK can access the share on the Samba server in CLUNKY. However, if 
you have restrictions on the share such as

    valid users = @CLUNKY+sales, CLUNKY+fred

then the user 'fred' in the SLEEK domain will NOT be able to access. You 
can grant SLEEK+fred access by modifying:

    valid users = @CLUNKY+sales, CLUNKY+fred, SLEEK+fred

so it appears that you can add users in trusted domains to the 'valid 
users =' directive. However, groups of trusted domains don't work:

    valid users = @CLUNKY+sales, @SLEEK+sales

If 'fred' is a member of the group SLEEK+sales, fred will NOT have 
access (assuming the Samba server is in the CLUNKY domain).

-Jonathan Johnson
Sutinen Consulting, Inc.

More information about the samba mailing list