summaryrefslogtreecommitdiff
path: root/docs/docbook/projdoc/InterdomainTrusts.sgml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/docbook/projdoc/InterdomainTrusts.sgml')
-rw-r--r--docs/docbook/projdoc/InterdomainTrusts.sgml222
1 files changed, 0 insertions, 222 deletions
diff --git a/docs/docbook/projdoc/InterdomainTrusts.sgml b/docs/docbook/projdoc/InterdomainTrusts.sgml
deleted file mode 100644
index 2c492d4ac0..0000000000
--- a/docs/docbook/projdoc/InterdomainTrusts.sgml
+++ /dev/null
@@ -1,222 +0,0 @@
-<chapter id="InterdomainTrusts">
-<chapterinfo>
- &author.jht;
- &author.mimir;
- <pubdate>April 3, 2003</pubdate>
-</chapterinfo>
-
-<title>Interdomain Trust Relationships</title>
-
-<para>
-Samba-3 supports NT4 style domain trust relationships. This is feature that many sites
-will want to use if they migrate to Samba-3 from and NT4 style domain and do NOT want to
-adopt Active Directory or an LDAP based authentication back end. This section explains
-some background information regarding trust relationships and how to create them. It is now
-possible for Samba-3 to NT4 trust (and vice versa), as well as Samba3 to Samba3 trusts.
-</para>
-
-<sect1>
-<title>Trust Relationship Background</title>
-
-<para>
-MS Windows NT3.x/4.0 type security domains employ a non-hierarchical security structure.
-The limitations of this architecture as it affects the scalability of MS Windows networking
-in large organisations is well known. Additionally, the flat-name space that results from
-this design significantly impacts the delegation of administrative responsibilities in
-large and diverse organisations.
-</para>
-
-<para>
-Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means
-of circumventing the limitations of the older technologies. Not every organisation is ready
-or willing to embrace ADS. For small companies the older NT4 style domain security paradigm
-is quite adequate, there thus remains an entrenched user base for whom there is no direct
-desire to go through a disruptive change to adopt ADS.
-</para>
-
-<para>
-Microsoft introduced with MS Windows NT the ability to allow differing security domains
-to affect a mechanism so that users from one domain may be given access rights and privileges
-in another domain. The language that describes this capability is couched in terms of
-<emphasis>Trusts</emphasis>. Specifically, one domain will <emphasis>trust</emphasis> the users
-from another domain. The domain from which users are available to another security domain is
-said to be a trusted domain. The domain in which those users have assigned rights and privileges
-is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only,
-thus if users in both domains are to have privileges and rights in each others' domain, then it is
-necessary to establish two (2) relationships, one in each direction.
-</para>
-
-<para>
-In an NT4 style MS security domain, all trusts are non-transitive. This means that if there
-are three (3) domains (let's call them RED, WHITE, and BLUE) where RED and WHITE have a trust
-relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no
-implied trust between the RED and BLUE domains. ie: Relationships are explicit and not
-transitive.
-</para>
-
-<para>
-New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way
-by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE
-domains above, with Windows 2000 and ADS the RED and BLUE domains CAN trust each other. This is
-an inherent feature of ADS domains. Samba-3 implements MS Windows NT4
-style Interdomain trusts and interoperates with MS Windows 200x ADS
-security domains in similar manner to MS Windows NT4 style domains.
-</para>
-
-</sect1>
-
-<sect1>
-<title>Native MS Windows NT4 Trusts Configuration</title>
-
-<para>
-There are two steps to creating an interdomain trust relationship.
-</para>
-
-<sect2>
-<title>NT4 as the Trusting Domain (ie. creating the trusted account)</title>
-
-<para>
-For MS Windows NT4, all domain trust relationships are configured using the Domain User Manager.
-To affect a two way trust relationship it is necessary for each domain administrator to make
-available (for use by an external domain) it's security resources. This is done from the Domain
-User Manager Policies entry on the menu bar. From the Policy menu, select Trust Relationships, then
-next to the lower box that is labelled "Permitted to Trust this Domain" are two buttons, "Add" and
-"Remove". The "Add" button will open a panel in which needs to be entered the remote domain that
-will be able to assign user rights to your domain. In addition it is necessary to enter a password
-that is specific to this trust relationship. The password needs to be
-typed twice (for standard confirmation).
-</para>
-
-</sect2>
-
-<sect2>
-<title>NT4 as the Trusted Domain (ie. creating trusted account's password)</title>
-
-<para>
-A trust relationship will work only when the other (trusting) domain makes the appropriate connections
-with the trusted domain. To consumate the trust relationship the administrator will launch the
-Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the
-"Add" button that is next to the box that is labelled "Trusted Domains". A panel will open in
-which must be entered the name of the remote domain as well as the password assigned to that trust.
-</para>
-
-</sect2>
-</sect1>
-
-<sect1>
-<title>Configuring Samba NT-style Domain Trusts</title>
-
-<para>
-This description is meant to be a fairly short introduction about how to set up a Samba server so
-that it could participate in interdomain trust relationships. Trust relationship support in Samba
-is in its early stage, so lot of things don't work yet.
-</para>
-
-<para>
-Each of the procedures described below is treated as they were performed with Windows NT4 Server on
-one end. The remote end could just as well be another Samba-3 domain. It can be clearly seen, after
-reading this document, that combining Samba-specific parts of what's written below leads to trust
-between domains in purely Samba environment.
-</para>
-
-<sect2>
-<title>Samba-3 as the Trusting Domain</title>
-
-<para>
-In order to set the Samba PDC to be the trusted party of the relationship first you need
-to create special account for the domain that will be the trusting party. To do that,
-you can use the 'smbpasswd' utility. Creating the trusted domain account is very
-similiar to creating a trusted machine account. Suppose, your domain is
-called SAMBA, and the remote domain is called RUMBA. The first step
-will be to issue this command from your favourite shell:
-</para>
-
-<para>
-<screen>
-<prompt>deity#</prompt> <userinput>smbpasswd -a -i rumba</userinput>
- New SMB password: XXXXXXXX
- Retype SMB password: XXXXXXXX
- Added user rumba$
-</screen>
-
-where <parameter>-a</parameter> means to add a new account into the
-passdb database and <parameter>-i</parameter> means: ''create this
-account with the InterDomain trust flag''
-</para>
-
-<para>
-The account name will be 'rumba$' (the name of the remote domain)
-</para>
-
-<para>
-After issuing this command you'll be asked to enter the password for
-the account. You can use any password you want, but be aware that Windows NT will
-not change this password until 7 days following account creation.
-After the command returns successfully, you can look at the entry for the new account
-(in the stardard way depending on your configuration) and see that account's name is
-really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm
-the trust by establishing it from Windows NT Server.
-</para>
-
-<para>
-Open 'User Manager for Domains' and from menu 'Policies' select 'Trust Relationships...'.
-Right beside 'Trusted domains' list box press 'Add...' button. You will be prompted for
-the trusted domain name and the relationship password. Type in SAMBA, as this is
-your domain name, and the password used at the time of account creation.
-Press OK and, if everything went without incident, you will see 'Trusted domain relationship
-successfully established' message.
-</para>
-
-</sect2>
-<sect2>
-<title>Samba-3 as the Trusted Domain</title>
-
-<para>
-This time activities are somewhat reversed. Again, we'll assume that your domain
-controlled by the Samba PDC is called SAMBA and NT-controlled domain is called RUMBA.
-</para>
-
-<para>
-The very first thing requirement is to add an account for the SAMBA domain on RUMBA's PDC.
-</para>
-
-<para>
-Launch the Domain User Manager, then from the menu select 'Policies', 'Trust Relationships'.
-Now, next to 'Trusted Domains' box press the 'Add' button, and type in the name of the trusted
-domain (SAMBA) and password securing the relationship.
-</para>
-
-<para>
-The password can be arbitrarily chosen. It is easy to change the password
-from the Samba server whenever you want. After confirming the password your account is
-ready for use. Now it's Samba's turn.
-</para>
-
-<para>
-Using your favourite shell while being logged in as root, issue this command:
-</para>
-
-<para>
-<prompt>deity# </prompt><userinput>net rpc trustdom establish rumba</userinput>
-</para>
-
-<para>
-You will be prompted for the password you just typed on your Windows NT4 Server box.
-Do not worry if you see an error message that mentions a returned code of
-<errorname>NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT</errorname>. It means the
-password you gave is correct and the NT4 Server says the account is
-ready for interdomain connection and not for ordinary
-connection. After that, be patient it can take a while (especially
-in large networks), you should see the 'Success' message. Congratulations! Your trust
-relationship has just been established.
-</para>
-
-<note><para>
-Note that you have to run this command as root because you must have write access to
-the <filename>secrets.tdb</filename> file.
-</para></note>
-
-</sect2>
-</sect1>
-
-</chapter>