[Samba] Authentication with trusted credentials
Rowland penny
rpenny at samba.org
Thu Jul 23 10:02:40 UTC 2020
On 23/07/2020 10:44, Yakov Revyakin wrote:
> Currently I have the following empirical knowledge about outgoing trust:
> - In case of creating this type of trust using direction=both we get
> outgoing trust working partially - it is possible to login to Windows
> member of trusting domain with trusted credentials as well as access
> shares on trusted side further. It is impossible to make the same
> login on Linux members.
> - In case of making the same trust on both sides separately it is
> impossible to login to both Windows and Linux clients. So outgoing
> trust doesn't work in this case.
>
> Two-ways trust works.
>
> Also I found the following
> man idmap_ad
> "Currently, the ad backend does not work as the default idmap backend,
> but one has to configure it separately for each domain for which one
> wants to use it, using disjoint ranges. One usually needs to configure
> a writeable default idmap range, using for example the tdb or ldap
> backend, in order to be able to map the BUILTIN sids and *possibly
> other trusted domains*.
> In case of two-ways trust"
>
> From this I understand that we can manage trusted accounts via default
> mapping only and the mapping regarding support of trusted domain was
> made correctly.
No, you misunderstand here, the default domain '*' is used for the
BUILTIN SIDs and anything outside the main Domain, UNLESS you also set
'idmap config' lines for another domains. You could also use the
'autorid' backend.
>
> What do you think about what I said above?
> Can we believe that outgoing trust works in the case of Windows clients?
> What is the actual status for outgoing trust support?
I think you are referring to 'one way' trusts and I don't think they
work correctly on Samba, you have to use two trusts, which would be nice
if I could get them to work on Samba domain member :-(
They appear to work on DC's, but not fully on domain members and, for
the life of me, I cannot see why.
>
> PS: I sent the same questions to Stephan with hope to get answers
>
He certainly has more experience of this than myself.
Rowland
More information about the samba
mailing list