diff options
Diffstat (limited to 'docs/docbook/projdoc/InterdomainTrusts.xml')
| -rw-r--r-- | docs/docbook/projdoc/InterdomainTrusts.xml | 392 |
1 files changed, 0 insertions, 392 deletions
diff --git a/docs/docbook/projdoc/InterdomainTrusts.xml b/docs/docbook/projdoc/InterdomainTrusts.xml deleted file mode 100644 index 7cbd673643..0000000000 --- a/docs/docbook/projdoc/InterdomainTrusts.xml +++ /dev/null @@ -1,392 +0,0 @@ -<chapter id="InterdomainTrusts"> -<chapterinfo> - &author.jht; - &author.mimir; - <author>&person.jelmer;<contrib>drawing</contrib></author> - <author> - <firstname>Stephen</firstname><surname>Langasek</surname> - <affiliation> - <address><email>vorlon@netexpress.net</email></address> - </affiliation> - </author> - <pubdate>April 3, 2003</pubdate> -</chapterinfo> - -<title>Interdomain Trust Relationships</title> - - -<para> -<indexterm><primary>Interdomain Trusts</primary></indexterm> -Samba-3 supports NT4-style domain trust relationships. This is a feature that many sites -will want to use if they migrate to Samba-3 from an NT4-style domain and do not want to -adopt Active Directory or an LDAP-based authentication backend. This section explains -some background information regarding trust relationships and how to create them. It is now -possible for Samba-3 to trust NT4 (and vice versa), as well as to create Samba-to-Samba -trusts. -</para> - -<sect1> -<title>Features and Benefits</title> - -<para> -Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4-style -trust relationships. This imparts to Samba similar scalability as with MS Windows NT4. -</para> - -<para> -Given that Samba-3 has the capability to function with a scalable backend authentication -database such as LDAP, and given its ability to run in Primary as well as Backup Domain Control -modes, the administrator would be well advised to consider alternatives to the use of -Interdomain trusts simply because by the very nature of how this works it is fragile. -That was, after all, a key reason for the development and adoption of Microsoft Active Directory. -</para> - -</sect1> - -<sect1> -<title>Trust Relationship Background</title> - -<para> -MS Windows NT3/4 type security domains employ a non-hierarchical security structure. -The limitations of this architecture as it effects the scalability of MS Windows networking -in large organizations is well known. Additionally, the flat namespace that results from -this design significantly impacts the delegation of administrative responsibilities in -large and diverse organizations. -</para> - -<para> -Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means -of circumventing the limitations of the older technologies. Not every organization is ready -or willing to embrace ADS. For small companies the older NT4-style domain security paradigm -is quite adequate, there remains an entrenched user base for whom there is no direct -desire to go through a disruptive change to adopt ADS. -</para> - -<para> -With MS Windows NT, Microsoft introduced the ability to allow differing security domains -to effect a mechanism so users from one domain may be given access rights and privileges -in another domain. The language that describes this capability is couched in terms of -<emphasis>Trusts</emphasis>. Specifically, one domain will <emphasis>trust</emphasis> the users -from another domain. The domain from which users are available to another security domain is -said to be a trusted domain. The domain in which those users have assigned rights and privileges -is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only, -thus if users in both domains are to have privileges and rights in each others' domain, then it is -necessary to establish two relationships, one in each direction. -</para> - -<para> -In an NT4-style MS security domain, all trusts are non-transitive. This means that if there -are three domains (let's call them RED, WHITE and BLUE) where RED and WHITE have a trust -relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no -implied trust between the RED and BLUE domains. Relationships are explicit and not -transitive. -</para> - -<para> -New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way -by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE -domains above, with Windows 2000 and ADS the RED and BLUE domains can trust each other. This is -an inherent feature of ADS domains. Samba-3 implements MS Windows NT4-style Interdomain trusts -and interoperates with MS Windows 200x ADS security domains in similar manner to MS Windows NT4-style domains. -</para> - -</sect1> - -<sect1> -<title>Native MS Windows NT4 Trusts Configuration</title> - -<para> -There are two steps to creating an interdomain trust relationship. To effect a two-way trust -relationship, it is necessary for each domain administrator to create a trust account for the -other domain to use in verifying security credentials. -<indexterm><primary>Interdomain Trusts</primary><secondary>creating</secondary></indexterm> -</para> - - -<sect2> -<title>Creating an NT4 Domain Trust</title> - -<para> -For MS Windows NT4, all domain trust relationships are configured using the -<application>Domain User Manager</application>. This is done from the Domain User Manager Policies -entry on the menu bar. From the <guimenu>Policy</guimenu> menu, select -<guimenuitem>Trust Relationships</guimenuitem>. Next to the lower box labeled -<guilabel>Permitted to Trust this Domain</guilabel> are two buttons, <guibutton>Add</guibutton> -and <guibutton>Remove</guibutton>. The <guibutton>Add</guibutton> button will open a panel in which -to enter the name of the remote domain that will be able to assign access rights to users in -your domain. You will also need to enter a password for this trust relationship, which the -trusting domain will use when authenticating users from the trusted domain. -The password needs to be typed twice (for standard confirmation). -</para> - -</sect2> - - -<sect2> -<title>Completing an NT4 Domain Trust</title> - -<para> -<indexterm><primary>Interdomain Trusts</primary><secondary>Completing</secondary></indexterm> -A trust relationship will work only when the other (trusting) domain makes the appropriate connections -with the trusted domain. To consummate the trust relationship, the administrator will launch the -Domain User Manager from the menu select <guilabel>Policies</guilabel>, then select -<guilabel>Trust Relationships</guilabel>, click on the <guibutton>Add</guibutton> button -next to the box that is labeled <guilabel>Trusted Domains</guilabel>. A panel will open in which -must be entered the name of the remote domain as well as the password assigned to that trust. -</para> - -</sect2> - -<sect2> -<title>Inter-Domain Trust Facilities</title> - - -<para> -<indexterm><primary>Interdomain Trusts</primary><secondary>Facilities</secondary></indexterm> -A two-way trust relationship is created when two one-way trusts are created, one in each direction. -Where a one-way trust has been established between two MS Windows NT4 domains (let's call them -DomA and DomB), the following facilities are created: -</para> - -<image id="trusts1"><imagefile>trusts1</imagefile><imagedescription>Trusts overview.</imagedescription></image> - -<itemizedlist> - <listitem><para> - DomA (completes the trust connection) <parameter>Trusts</parameter> DomB. - </para></listitem> - - <listitem><para> - DomA is the <parameter>Trusting</parameter> domain. - </para></listitem> - - <listitem><para> - DomB is the <parameter>Trusted</parameter> domain (originates the trust account). - </para></listitem> - - <listitem><para> - Users in DomB can access resources in DomA. - </para></listitem> - - <listitem><para> - Users in DomA cannot access resources in DomB. - </para></listitem> - - <listitem><para> - Global groups from DomB can be used in DomA. - </para></listitem> - - <listitem><para> - Global groups from DomA cannot be used in DomB. - </para></listitem> - - <listitem><para> - DomB does appear in the logon dialog box on client workstations in DomA. - </para></listitem> - - <listitem><para> - DomA does not appear in the logon dialog box on client workstations in DomB. - </para></listitem> -</itemizedlist> - -<itemizedlist> - <listitem><para> - Users/Groups in a trusting domain cannot be granted rights, permissions or access - to a trusted domain. - </para></listitem> - - <listitem><para> - The trusting domain can access and use accounts (Users/Global Groups) in the - trusted domain. - </para></listitem> - - <listitem><para> - Administrators of the trusted domain can be granted admininstrative rights in the - trusting domain. - </para></listitem> - - <listitem><para> - Users in a trusted domain can be given rights and privileges in the trusting - domain. - </para></listitem> - - <listitem><para> - Trusted domain Global Groups can be given rights and permissions in the trusting - domain. - </para></listitem> - - <listitem><para> - Global Groups from the trusted domain can be made members in Local Groups on - MS Windows Domain Member machines. - </para></listitem> -</itemizedlist> - -</sect2> - -</sect1> - -<sect1> -<title>Configuring Samba NT-Style Domain Trusts</title> - -<para> -This description is meant to be a fairly short introduction about how to set up a Samba server so -that it can participate in interdomain trust relationships. Trust relationship support in Samba -is at an early stage, so do not be surprised if something does not function as it should. -</para> - -<para> -Each of the procedures described below assumes the peer domain in the trust relationship is -controlled by a Windows NT4 server. However, the remote end could just as well be another -Samba-3 domain. It can be clearly seen, after reading this document, that combining -Samba-specific parts of what's written below leads to trust between domains in a purely Samba -environment. -</para> - -<sect2 id="samba-trusted-domain"> -<title>Samba as the Trusted Domain</title> - -<para> -In order to set the Samba PDC to be the trusted party of the relationship, you first need -to create a special account for the domain that will be the trusting party. To do that, -you can use the <command>smbpasswd</command> utility. Creating the trusted domain account is -similar to creating a trusted machine account. Suppose, your domain is -called SAMBA, and the remote domain is called RUMBA. The first step -will be to issue this command from your favorite shell: -</para> - -<para> -<screen> -&rootprompt; <userinput>smbpasswd -a -i rumba</userinput> -New SMB password: <userinput>XXXXXXXX</userinput> -Retype SMB password: <userinput>XXXXXXXX</userinput> -Added user rumba$ -</screen> - -where <option>-a</option> means to add a new account into the -passdb database and <option>-i</option> means: <quote>create this -account with the InterDomain trust flag</quote>. -</para> - -<para> -The account name will be <quote>rumba$</quote> (the name of the remote domain). -</para> - -<para> -After issuing this command, you will be asked to enter the password for -the account. You can use any password you want, but be aware that Windows NT will -not change this password until seven days following account creation. -After the command returns successfully, you can look at the entry for the new account -(in the standard way as appropriate for your configuration) and see that account's name is -really RUMBA$ and it has the <quote>I</quote> flag set in the flags field. Now you are ready to confirm -the trust by establishing it from Windows NT Server. -</para> - - -<para> -<indexterm><primary>User Manager</primary></indexterm> -Open <application>User Manager for Domains</application> and from the -<guimenu>Policies</guimenu> menu, select <guimenuitem>Trust Relationships...</guimenuitem>. -Beside the <guilabel>Trusted domains</guilabel> list box click the -<guimenu>Add...</guimenu> button. You will be prompted for -the trusted domain name and the relationship password. Type in SAMBA, as this is -the name of the remote domain and the password used at the time of account creation. -Click on <guibutton>OK</guibutton> and, if everything went without incident, you will see -the <computeroutput>Trusted domain relationship successfully -established</computeroutput> message. -</para> - -</sect2> -<sect2> -<title>Samba as the Trusting Domain</title> - -<para> -This time activities are somewhat reversed. Again, we'll assume that your domain -controlled by the Samba PDC is called SAMBA and the NT-controlled domain is called RUMBA. -</para> - -<para> -The very first step is to add an account for the SAMBA domain on RUMBA's PDC. -</para> - - -<para> -<indexterm><primary>User Manager</primary></indexterm> -Launch the <application>Domain User Manager</application>, then from the menu select -<guimenu>Policies</guimenu>, <guimenuitem>Trust Relationships</guimenuitem>. -Now, next to the <guilabel>Trusted Domains</guilabel> box press the <guibutton>Add</guibutton> -button and type in the name of the trusted domain (SAMBA) and the password to use in securing -the relationship. -</para> - -<para> -The password can be arbitrarily chosen. It is easy to change the password -from the Samba server whenever you want. After confirming the password your account is -ready for use. Now its Samba's turn. -</para> - -<para> -Using your favorite shell while being logged in as root, issue this command: -</para> - -<para> -&rootprompt;<userinput>net rpc trustdom establish rumba</userinput> -</para> - -<para> -You will be prompted for the password you just typed on your Windows NT4 Server box. -An error message <errorname>`NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT'</errorname> -that may be reported periodically is of no concern and may safely be ignored. -It means the password you gave is correct and the NT4 Server says the account is ready for -interdomain connection and not for ordinary connection. After that, be patient; -it can take a while (especially in large networks), but eventually you should see -the <computeroutput>Success</computeroutput> message. Congratulations! Your trust -relationship has just been established. -</para> - -<note><para> -You have to run this command as root because you must have write access to -the <filename>secrets.tdb</filename> file. -</para></note> - -</sect2> -</sect1> - -<sect1> -<title>NT4-Style Domain Trusts with Windows 2000</title> -<para> -Although <application>Domain User Manager</application> is not present in Windows 2000, it is -also possible to establish an NT4-style trust relationship with a Windows 2000 domain -controller running in mixed mode as the trusting server. It should also be possible for -Samba to trust a Windows 2000 server, however, more testing is still needed in this area. -</para> - -<para> -After <link linkend="samba-trusted-domain">creating the interdomain trust account on the -Samba server</link> as described above, open <application>Active Directory Domains and -Trusts</application> on the AD controller of the domain whose resources you wish Samba users -to have access to. Remember that since NT4-style trusts are not transitive, if you want -your users to have access to multiple mixed-mode domains in your AD forest, you will need to -repeat this process for each of those domains. With <application>Active Directory Domains -and Trusts</application> open, right-click on the name of the Active Directory domain that -will trust our Samba domain and choose <guimenuitem>Properties</guimenuitem>, then click on -the <guilabel>Trusts</guilabel> tab. In the upper part of the panel, you will see a list box -labeled <guilabel>Domains trusted by this domain:</guilabel>, and an -<guilabel>Add...</guilabel> button next to it. Press this button and just as with NT4, you -will be prompted for the trusted domain name and the relationship password. Press OK and -after a moment, Active Directory will respond with <computeroutput>The trusted domain has -been added and the trust has been verified.</computeroutput> Your Samba users can now be -granted acess to resources in the AD domain. -</para> -</sect1> - -<sect1> -<title>Common Errors</title> - -<para> -Interdomain trust relationships should not be attempted on networks that are unstable -or that suffer regular outages. Network stability and integrity are key concerns with -distributed trusted domains. -</para> - -</sect1> - -</chapter> |