[Samba] Authentication with trusted credentials

Yakov Revyakin yrevyakin at gmail.com
Thu Jul 23 09:44:31 UTC 2020

Currently I have the following empirical knowledge about outgoing trust:
- In case of creating this type of trust using direction=both we get
outgoing trust working partially - it is possible to login to Windows
member of trusting domain with trusted credentials as well as access shares
on trusted side further. It is impossible to make the same login on Linux
- In case of making the same trust on both sides separately it is
impossible to login to both Windows and Linux clients. So outgoing
trust doesn't work in this case.

Two-ways trust works.

Also I found the following
man idmap_ad
"Currently, the ad backend does not work as the default idmap backend, but
one has to configure it separately for each domain for which one wants to
use it, using disjoint ranges. One usually needs to configure a writeable
default idmap range, using for example the tdb or ldap backend, in order to
be able to map the BUILTIN sids and *possibly other trusted domains*.
In case of two-ways trust"

>From this I understand that we can manage trusted accounts via default
mapping only and the mapping regarding support of trusted domain was made

What do you think about what I said above?
Can we believe that outgoing trust works in the case of Windows clients?
What is the actual status for outgoing trust support?

PS: I sent the same questions to Stephan with hope to get answers

On Tue, 21 Jul 2020 at 17:54, Rowland penny via samba <samba at lists.samba.org>

> On 21/07/2020 15:38, Yakov Revyakin wrote:
> > Hi Rowland,
> > Thank you for effort
> >
> > My output as you requested:
> > ## Samba DC
> > d at us-smdc3:~$ wbinfo --online-status
> > BUILTIN : active connection
> > SVITLA3 : active connection
> > APEX : active connection
> >
> > ## Linux Client
> > d at uc-sm18:~$ wbinfo --online-status
> > BUILTIN : online
> > UC-SM18 : online
> > SVITLA3 : online
> > APEX : online
> >
> > # UC-SM18 is a Linux member of SVITLA3.
> >
> > You decided to demonstrate too difficult case. I only want to prove
> > that I can ssh to UC-SM18 at SVITLA3.ROOM with trusted account from
> > trusted APEX.CORP domain using trust capabilities of Samba DC. It is
> > very often case when someone with account in main organization wants
> > to login on-premise of another one which is in trusting relationships
> > with main.
> >
> Perhaps I did go over the top, but I wanted to be sure that I had trusts
> set up correctly.
> I can get the user & group info for a domain on the other domain, but I
> cannot log into a Linux domain member in one domain using a user from
> the other domain i.e. DOMAIN\\user at linux-client.example.com
> Now comes the strange bit, it works to a DC, just found this out.
> I will examine the logs and see if I can work out why.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list