diff options
Diffstat (limited to 'docs/Samba3-HOWTO/TOSHARG-InterdomainTrusts.xml')
| -rw-r--r-- | docs/Samba3-HOWTO/TOSHARG-InterdomainTrusts.xml | 156 |
1 files changed, 80 insertions, 76 deletions
diff --git a/docs/Samba3-HOWTO/TOSHARG-InterdomainTrusts.xml b/docs/Samba3-HOWTO/TOSHARG-InterdomainTrusts.xml index 9a574c2639..1265e5ddae 100644 --- a/docs/Samba3-HOWTO/TOSHARG-InterdomainTrusts.xml +++ b/docs/Samba3-HOWTO/TOSHARG-InterdomainTrusts.xml @@ -25,7 +25,7 @@ <indexterm><primary>Active Directory</primary></indexterm> Samba-3 supports NT4-style domain trust relationships. This is a feature that many sites will want to use if they migrate to Samba-3 from an NT4-style domain and do not want to -adopt Active Directory or an LDAP-based authentication backend. This section explains +adopt Active Directory or an LDAP-based authentication backend. This chapter explains some background information regarding trust relationships and how to create them. It is now possible for Samba-3 to trust NT4 (and vice versa), as well as to create Samba-to-Samba trusts. @@ -35,17 +35,17 @@ trusts. <indexterm><primary>winbind</primary></indexterm> <indexterm><primary>UID range</primary></indexterm> <indexterm><primary>GID range</primary></indexterm> -The use of interdomain trusts requires use of <command>winbind</command>. Thus the +The use of interdomain trusts requires use of <command>winbind</command>, so the <command>winbindd</command> daemon must be running. Winbind operation in this mode is -dependant on the specification of a valid UID range and a valid GID range in the &smb.conf; file. +dependent on the specification of a valid UID range and a valid GID range in the &smb.conf; file. These are specified respectively using <smbconfoption name="idmap uid">10000-20000</smbconfoption> and <smbconfoption name="idmap gid">10000-20000</smbconfoption>. </para> <note><para> -The use of winbind is necessary only when Samba is the trusting Domain, not when it is the -trusted Domain. +The use of winbind is necessary only when Samba is the trusting domain, not when it is the +trusted domain. </para></note> <sect1> @@ -53,14 +53,14 @@ trusted Domain. <para> Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4-style -trust relationships. This imparts to Samba similar scalability as with MS Windows NT4. +trust relationships. This imparts to Samba scalability similar to that with MS Windows NT4. </para> <para> -Given that Samba-3 has the capability to function with a scalable backend authentication -database such as LDAP, and given its ability to run in Primary as well as Backup Domain Control +Given that Samba-3 can function with a scalable backend authentication +database such as LDAP, and given its ability to run in primary as well as backup domain control modes, the administrator would be well advised to consider alternatives to the use of -Interdomain trusts simply because by the very nature of how this works it is fragile. +interdomain trusts simply because, by the very nature of how this works, it is fragile. That was, after all, a key reason for the development and adoption of Microsoft Active Directory. </para> @@ -70,7 +70,7 @@ That was, after all, a key reason for the development and adoption of Microsoft <title>Trust Relationship Background</title> <para> -MS Windows NT3/4 type security domains employ a non-hierarchical security structure. +MS Windows NT3/4-type security domains employ a nonhierarchical security structure. The limitations of this architecture as it effects the scalability of MS Windows networking in large organizations is well known. Additionally, the flat namespace that results from this design significantly impacts the delegation of administrative responsibilities in @@ -81,35 +81,35 @@ large and diverse organizations. Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means of circumventing the limitations of the older technologies. Not every organization is ready or willing to embrace ADS. For small companies the older NT4-style domain security paradigm -is quite adequate, there remains an entrenched user base for whom there is no direct +is quite adequate, so there remains an entrenched user base for whom there is no direct desire to go through a disruptive change to adopt ADS. </para> <para> -With MS Windows NT, Microsoft introduced the ability to allow differing security domains +With Windows NT, Microsoft introduced the ability to allow different security domains to effect a mechanism so users from one domain may be given access rights and privileges in another domain. The language that describes this capability is couched in terms of -<emphasis>Trusts</emphasis>. Specifically, one domain will <emphasis>trust</emphasis> the users +<emphasis>trusts</emphasis>. Specifically, one domain will <emphasis>trust</emphasis> the users from another domain. The domain from which users are available to another security domain is said to be a trusted domain. The domain in which those users have assigned rights and privileges is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only, -thus if users in both domains are to have privileges and rights in each others' domain, then it is +so if users in both domains are to have privileges and rights in each others' domain, then it is necessary to establish two relationships, one in each direction. </para> <para> -In an NT4-style MS security domain, all trusts are non-transitive. This means that if there -are three domains (let's call them RED, WHITE and BLUE) where RED and WHITE have a trust -relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no -implied trust between the RED and BLUE domains. Relationships are explicit and not +In an NT4-style MS security domain, all trusts are nontransitive. This means that if there +are three domains (let's call them red, white, and blue), where red and white have a trust +relationship, and white and blue have a trust relationship, then it holds that there is no +implied trust between the red and blue domains. Relationships are explicit and not transitive. </para> <para> New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way -by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE -domains above, with Windows 2000 and ADS the RED and BLUE domains can trust each other. This is -an inherent feature of ADS domains. Samba-3 implements MS Windows NT4-style Interdomain trusts +by default. Also, all inter-ADS domain trusts are transitive. In the case of the red, white, and blue +domains, with Windows 2000 and ADS, the red and blue domains can trust each other. This is +an inherent feature of ADS domains. Samba-3 implements MS Windows NT4-style interdomain trusts and interoperates with MS Windows 200x ADS security domains in similar manner to MS Windows NT4-style domains. </para> @@ -151,17 +151,17 @@ The password needs to be typed twice (for standard confirmation). <para> <indexterm><primary>Interdomain Trusts</primary><secondary>Completing</secondary></indexterm> A trust relationship will work only when the other (trusting) domain makes the appropriate connections -with the trusted domain. To consummate the trust relationship, the administrator will launch the -Domain User Manager from the menu select <guilabel>Policies</guilabel>, then select -<guilabel>Trust Relationships</guilabel>, click on the <guibutton>Add</guibutton> button -next to the box that is labeled <guilabel>Trusted Domains</guilabel>. A panel will open in which +with the trusted domain. To consummate the trust relationship, the administrator launches the +Domain User Manager from the menu selects <guilabel>Policies</guilabel>, then select +<guilabel>Trust Relationships</guilabel>, and clicks on the <guibutton>Add</guibutton> button +next to the box that is labeled <guilabel>Trusted Domains</guilabel>. A panel opens in which must be entered the name of the remote domain as well as the password assigned to that trust. </para> </sect2> <sect2> -<title>Inter-Domain Trust Facilities</title> +<title>Interdomain Trust Facilities</title> <para> @@ -216,12 +216,12 @@ DomA and DomB), the following facilities are created: <itemizedlist> <listitem><para> - Users/Groups in a trusting domain cannot be granted rights, permissions or access + Users and groups in a trusting domain cannot be granted rights, permissions, or access to a trusted domain. </para></listitem> <listitem><para> - The trusting domain can access and use accounts (Users/Global Groups) in the + The trusting domain can access and use accounts (users/global groups) in the trusted domain. </para></listitem> @@ -236,13 +236,13 @@ DomA and DomB), the following facilities are created: </para></listitem> <listitem><para> - Trusted domain Global Groups can be given rights and permissions in the trusting + Trusted domain global groups can be given rights and permissions in the trusting domain. </para></listitem> <listitem><para> - Global Groups from the trusted domain can be made members in Local Groups on - MS Windows Domain Member machines. + Global groups from the trusted domain can be made members in local groups on + MS Windows domain member machines. </para></listitem> </itemizedlist> @@ -260,10 +260,10 @@ is at an early stage, so do not be surprised if something does not function as i </para> <para> -Each of the procedures described below assumes the peer domain in the trust relationship is +Each of the procedures described next assumes the peer domain in the trust relationship is controlled by a Windows NT4 server. However, the remote end could just as well be another Samba-3 domain. It can be clearly seen, after reading this document, that combining -Samba-specific parts of what's written below leads to trust between domains in a purely Samba +Samba-specific parts of what's written in the following sections leads to trust between domains in a purely Samba environment. </para> @@ -288,23 +288,23 @@ Added user rumba$ </screen> where <option>-a</option> means to add a new account into the -passdb database and <option>-i</option> means: <quote>create this -account with the Inter-Domain trust flag</quote>. +passdb database and <option>-i</option> means to <quote>create this +account with the Interdomain trust flag</quote>. </para> <para> The account name will be <quote>rumba$</quote> (the name of the remote domain). If this fails, you should check that the trust account has been added to the system password database (<filename>/etc/passwd</filename>). If it has not been added, you -can add it manually and then repeat the step above. +can add it manually and then repeat the previous step. </para> <para> After issuing this command, you will be asked to enter the password for the account. You can use any password you want, but be aware that Windows NT will -not change this password until seven days following account creation. +not change this password until 7 days following account creation. After the command returns successfully, you can look at the entry for the new account -(in the standard way as appropriate for your configuration) and see that accounts name is +(in the standard way as appropriate for your configuration) and see that the account's name is really RUMBA$ and it has the <quote>I</quote> flag set in the flags field. Now you are ready to confirm the trust by establishing it from Windows NT Server. </para> @@ -314,13 +314,15 @@ the trust by establishing it from Windows NT Server. <indexterm><primary>User Manager</primary></indexterm> Open <application>User Manager for Domains</application> and from the <guimenu>Policies</guimenu> menu, select <guimenuitem>Trust Relationships...</guimenuitem>. -Beside the <guilabel>Trusted domains</guilabel> list box click the +Beside the <guilabel>Trusted domains</guilabel> list box, click the <guimenu>Add...</guimenu> button. You will be prompted for the trusted domain name and the relationship password. Type in SAMBA, as this is the name of the remote domain and the password used at the time of account creation. -Click on <guibutton>OK</guibutton> and, if everything went without incident, you will see -the <computeroutput>Trusted domain relationship successfully -established</computeroutput> message. +Click on <guibutton>OK</guibutton> and, if everything went without incident, you will see the +<computeroutput> +Trusted domain relationship successfully established +</computeroutput> +message. </para> </sect2> @@ -341,19 +343,19 @@ The very first step is to add an account for the SAMBA domain on RUMBA's PDC. <indexterm><primary>User Manager</primary></indexterm> Launch the <application>Domain User Manager</application>, then from the menu select <guimenu>Policies</guimenu>, <guimenuitem>Trust Relationships</guimenuitem>. -Now, next to the <guilabel>Trusted Domains</guilabel> box press the <guibutton>Add</guibutton> +Now, next to the <guilabel>Trusted Domains</guilabel> box, press the <guibutton>Add</guibutton> button and type in the name of the trusted domain (SAMBA) and the password to use in securing the relationship. </para> <para> The password can be arbitrarily chosen. It is easy to change the password -from the Samba server whenever you want. After confirming the password your account is +from the Samba server whenever you want. After you confirm the password, your account is ready for use. Now its Samba's turn. </para> <para> -Using your favorite shell while being logged in as root, issue this command: +Using your favorite shell while logged in as root, issue this command: </para> <para> @@ -362,12 +364,12 @@ Using your favorite shell while being logged in as root, issue this command: <para> You will be prompted for the password you just typed on your Windows NT4 Server box. -An error message <errorname>`NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT'</errorname> +An error message, <errorname>"NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT,"</errorname> that may be reported periodically is of no concern and may safely be ignored. -It means the password you gave is correct and the NT4 Server says the account is ready for +It means the password you gave is correct and the NT4 server says the account is ready for interdomain connection and not for ordinary connection. After that, be patient; it can take a while (especially in large networks), but eventually you should see -the <computeroutput>Success</computeroutput> message. Congratulations! Your trust +the <literal>Success</literal> message. Congratulations! Your trust relationship has just been established. </para> @@ -385,25 +387,27 @@ the <filename>secrets.tdb</filename> file. Although <application>Domain User Manager</application> is not present in Windows 2000, it is also possible to establish an NT4-style trust relationship with a Windows 2000 domain controller running in mixed mode as the trusting server. It should also be possible for -Samba to trust a Windows 2000 server, however, more testing is still needed in this area. +Samba to trust a Windows 2000 server; however, more testing is still needed in this area. </para> <para> After <link linkend="samba-trusted-domain">creating the interdomain trust account on the -Samba server</link> as described above, open <application>Active Directory Domains and +Samba server</link> as described previously, open <application>Active Directory Domains and Trusts</application> on the AD controller of the domain whose resources you wish Samba users to have access to. Remember that since NT4-style trusts are not transitive, if you want your users to have access to multiple mixed-mode domains in your AD forest, you will need to -repeat this process for each of those domains. With <application>Active Directory Domains -and Trusts</application> open, right-click on the name of the Active Directory domain that +repeat this process for each of those domains. With <application>Active Directory domains +and trusts</application> open, right-click on the name of the Active Directory domain that will trust our Samba domain and choose <guimenuitem>Properties</guimenuitem>, then click on the <guilabel>Trusts</guilabel> tab. In the upper part of the panel, you will see a list box -labeled <guilabel>Domains trusted by this domain:</guilabel>, and an -<guilabel>Add...</guilabel> button next to it. Press this button and just as with NT4, you -will be prompted for the trusted domain name and the relationship password. Press OK and -after a moment, Active Directory will respond with <computeroutput>The trusted domain has -been added and the trust has been verified.</computeroutput> Your Samba users can now be -granted access to resources in the AD domain. +labeled <guilabel>Domains trusted by this domain:</guilabel> and an +<guilabel>Add...</guilabel> button next to it. Press this button and, just as with NT4, you +will be prompted for the trusted domain name and the relationship password. Press <emphasis>OK</emphasis> and +after a moment, Active Directory will respond with +<computeroutput> +The trusted domain has been added and the trust has been verified. +</computeroutput> +Your Samba users can now be granted access to resources in the AD domain. </para> </sect1> @@ -420,8 +424,8 @@ distributed trusted domains. <title>Browsing of Trusted Domain Fails</title> <para> -Browsing from a machine in a trusted Windows 200x Domain to a Windows 200x member of -a trusting samba domain, I get the following error: +<emphasis>Browsing from a machine in a trusted Windows 200x domain to a Windows 200x member of +a trusting Samba domain, I get the following error:</emphasis> </para> <screen> @@ -430,34 +434,34 @@ you can contact the server that authenticated you. </screen> <para> -The event logs on the box I'm trying to connect to have entries regarding group -policy not being applied because it is a member of a down-level domain. +<emphasis>The event logs on the box I'm trying to connect to have entries regarding group +policy not being applied because it is a member of a down-level domain.</emphasis> </para> -<para><emphasis>Answer: </emphasis> If there is a computer account in the Windows -200x Domain for the machine in question, and it is disabled, this problem can +<para>If there is a computer account in the Windows +200x domain for the machine in question, and it is disabled, this problem can occur. If there is no computer account (removed or never existed), or if that -account is still intact (i.e.: you just joined it to another domain) everything -seems to be fine. By default, when you un-join a domain (the Windows 200x -Domain), the computer tries to automatically disable the computer account in -the domain. If you are running as an account which has privileges to do this -when you un-join the machine, it is done, otherwise it is not done. +account is still intact (i.e., you just joined it to another domain), everything +seems to be fine. By default, when you unjoin a domain (the Windows 200x +domain), the computer tries to automatically disable the computer account in +the domain. If you are running as an account that has privileges to do this +when you unjoin the machine, it is done; otherwise it is not done. </para> </sect2> <sect2> -<title>Problems With LDAP ldapsam And The smbldap-tools</title> +<title>Problems with LDAP ldapsam and the smbldap-tools</title> <para> If you use the <command>smbldap-useradd</command> script to create a trust -account to set up Interdomain trusts the process of setting up the trust will +account to set up interdomain trusts, the process of setting up the trust will fail. The account that was created in the LDAP database will have an account -flags field that has <constant>[W ]</constant>, when it must have -<constant>[I ]</constant> for Interdomain trusts to work. +flags field that has <literal>[W ]</literal>, when it must have +<literal>[I ]</literal> for interdomain trusts to work. </para> -<para><emphasis>Answer: </emphasis>Here is a simple solution. +<para>Here is a simple solution. Create a machine account as follows: <screen> &rootprompt; smbldap-useradd -w domain_name @@ -485,8 +489,8 @@ Create a single-sided trust under the NT4 Domain User Manager, then execute: </para> <para> -It works with Samba-3 and NT4 Domains, and also with Samba-3 and Windows 200x ADS in mixed mode. -Both DC's, samba and NT, must have the same WINS server otherwise +It works with Samba-3 and NT4 domains, and also with Samba-3 and Windows 200x ADS in mixed mode. +Both domain controllers, Samba and NT must have the same WINS server; otherwise, the trust will never work. </para> |