[Samba] Authentication with trusted credentials

Rowland penny rpenny at samba.org
Thu Jul 23 10:02:40 UTC 2020

On 23/07/2020 10:44, Yakov Revyakin wrote:
> Currently I have the following empirical knowledge about outgoing trust:
> - In case of creating this type of trust using direction=both we get 
> outgoing trust working partially - it is possible to login to Windows 
> member of trusting domain with trusted credentials as well as access 
> shares on trusted side further. It is impossible to make the same 
> login on Linux members.
> - In case of making the same trust on both sides separately it is 
> impossible to login to both Windows and Linux clients. So outgoing 
> trust doesn't work in this case.
> Two-ways trust works.
> Also I found the following
> man idmap_ad
> "Currently, the ad backend does not work as the default idmap backend, 
> but one has to configure it separately for each domain for which one 
> wants to use it, using disjoint ranges. One usually needs to configure 
> a writeable default idmap range, using for example the tdb or ldap 
> backend, in order to be able to map the BUILTIN sids and *possibly 
> other trusted domains*.
> In case of two-ways trust"
> From this I understand that we can manage trusted accounts via default 
> mapping only and the mapping regarding support of trusted domain was 
> made correctly.
No, you misunderstand here, the default domain '*' is used for the 
BUILTIN SIDs and anything outside the main Domain, UNLESS you also set 
'idmap config' lines for another domains. You could also use the 
'autorid' backend.
> What do you think about what I said above?
> Can we believe that outgoing trust works in the case of Windows clients?
> What is the actual status for outgoing trust support?

I think you are referring to 'one way' trusts and I don't think they 
work correctly on Samba, you have to use two trusts, which would be nice 
if I could get them to work on Samba domain member :-(

They appear to work on DC's, but not fully on domain members and, for 
the life of me, I cannot see why.

> PS: I sent the same questions to Stephan with hope to get answers
He certainly has more experience of this than myself.


More information about the samba mailing list