diff options
Diffstat (limited to 'docs/htmldocs/interdomaintrusts.html')
-rw-r--r-- | docs/htmldocs/interdomaintrusts.html | 451 |
1 files changed, 451 insertions, 0 deletions
diff --git a/docs/htmldocs/interdomaintrusts.html b/docs/htmldocs/interdomaintrusts.html new file mode 100644 index 0000000000..10efda81a2 --- /dev/null +++ b/docs/htmldocs/interdomaintrusts.html @@ -0,0 +1,451 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Interdomain Trust Relationships</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Advanced Configuration" +HREF="optional.html"><LINK +REL="PREVIOUS" +TITLE="Desktop Profile Management" +HREF="profilemgmt.html"><LINK +REL="NEXT" +TITLE="PAM Configuration for Centrally Managed Authentication" +HREF="pam.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="profilemgmt.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="pam.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="INTERDOMAINTRUSTS" +></A +>Chapter 19. Interdomain Trust Relationships</H1 +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>19.1. <A +HREF="interdomaintrusts.html#AEN3447" +>Trust Relationship Background</A +></DT +><DT +>19.2. <A +HREF="interdomaintrusts.html#AEN3456" +>Native MS Windows NT4 Trusts Configuration</A +></DT +><DD +><DL +><DT +>19.2.1. <A +HREF="interdomaintrusts.html#AEN3459" +>NT4 as the Trusting Domain (ie. creating the trusted account)</A +></DT +><DT +>19.2.2. <A +HREF="interdomaintrusts.html#AEN3462" +>NT4 as the Trusted Domain (ie. creating trusted account's password)</A +></DT +></DL +></DD +><DT +>19.3. <A +HREF="interdomaintrusts.html#AEN3465" +>Configuring Samba NT-style Domain Trusts</A +></DT +><DD +><DL +><DT +>19.3.1. <A +HREF="interdomaintrusts.html#AEN3469" +>Samba-3 as the Trusting Domain</A +></DT +><DT +>19.3.2. <A +HREF="interdomaintrusts.html#AEN3481" +>Samba-3 as the Trusted Domain</A +></DT +></DL +></DD +></DL +></DIV +><P +>Samba-3 supports NT4 style domain trust relationships. This is feature that many sites +will want to use if they migrate to Samba-3 from and NT4 style domain and do NOT want to +adopt Active Directory or an LDAP based authentication back end. This section explains +some background information regarding trust relationships and how to create them. It is now +possible for Samba-3 to NT4 trust (and vice versa), as well as Samba3 to Samba3 trusts.</P +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN3447" +>19.1. Trust Relationship Background</A +></H1 +><P +>MS Windows NT3.x/4.0 type security domains employ a non-hierarchical security structure. +The limitations of this architecture as it affects the scalability of MS Windows networking +in large organisations is well known. Additionally, the flat-name space that results from +this design significantly impacts the delegation of administrative responsibilities in +large and diverse organisations.</P +><P +>Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means +of circumventing the limitations of the older technologies. Not every organisation is ready +or willing to embrace ADS. For small companies the older NT4 style domain security paradigm +is quite adequate, there thus remains an entrenched user base for whom there is no direct +desire to go through a disruptive change to adopt ADS.</P +><P +>Microsoft introduced with MS Windows NT the ability to allow differing security domains +to affect a mechanism so that users from one domain may be given access rights and privileges +in another domain. The language that describes this capability is couched in terms of +<SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Trusts</I +></SPAN +>. Specifically, one domain will <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>trust</I +></SPAN +> the users +from another domain. The domain from which users are available to another security domain is +said to be a trusted domain. The domain in which those users have assigned rights and privileges +is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only, +thus if users in both domains are to have privileges and rights in each others' domain, then it is +necessary to establish two (2) relationships, one in each direction.</P +><P +>In an NT4 style MS security domain, all trusts are non-transitive. This means that if there +are three (3) domains (let's call them RED, WHITE, and BLUE) where RED and WHITE have a trust +relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no +implied trust between the RED and BLUE domains. ie: Relationships are explicit and not +transitive.</P +><P +>New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way +by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE +domains above, with Windows 2000 and ADS the RED and BLUE domains CAN trust each other. This is +an inherent feature of ADS domains. Samba-3 implements MS Windows NT4 +style Interdomain trusts and interoperates with MS Windows 200x ADS +security domains in similar manner to MS Windows NT4 style domains.</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN3456" +>19.2. Native MS Windows NT4 Trusts Configuration</A +></H1 +><P +>There are two steps to creating an interdomain trust relationship.</P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3459" +>19.2.1. NT4 as the Trusting Domain (ie. creating the trusted account)</A +></H2 +><P +>For MS Windows NT4, all domain trust relationships are configured using the Domain User Manager. +To affect a two way trust relationship it is necessary for each domain administrator to make +available (for use by an external domain) it's security resources. This is done from the Domain +User Manager Policies entry on the menu bar. From the Policy menu, select Trust Relationships, then +next to the lower box that is labelled "Permitted to Trust this Domain" are two buttons, "Add" and +"Remove". The "Add" button will open a panel in which needs to be entered the remote domain that +will be able to assign user rights to your domain. In addition it is necessary to enter a password +that is specific to this trust relationship. The password needs to be +typed twice (for standard confirmation).</P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3462" +>19.2.2. NT4 as the Trusted Domain (ie. creating trusted account's password)</A +></H2 +><P +>A trust relationship will work only when the other (trusting) domain makes the appropriate connections +with the trusted domain. To consumate the trust relationship the administrator will launch the +Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the +"Add" button that is next to the box that is labelled "Trusted Domains". A panel will open in +which must be entered the name of the remote domain as well as the password assigned to that trust.</P +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN3465" +>19.3. Configuring Samba NT-style Domain Trusts</A +></H1 +><P +>This description is meant to be a fairly short introduction about how to set up a Samba server so +that it could participate in interdomain trust relationships. Trust relationship support in Samba +is in its early stage, so lot of things don't work yet.</P +><P +>Each of the procedures described below is treated as they were performed with Windows NT4 Server on +one end. The remote end could just as well be another Samba-3 domain. It can be clearly seen, after +reading this document, that combining Samba-specific parts of what's written below leads to trust +between domains in purely Samba environment.</P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3469" +>19.3.1. Samba-3 as the Trusting Domain</A +></H2 +><P +>In order to set Samba PDC to be trusted party of the relationship first you need +to create special account for the domain that will be the trusting party. To do that, +you can use the 'smbpasswd' utility. Creating the trusted domain account is very +similiar to creating a trusted machine account. Suppose, your domain is +called SAMBA, and the remote domain is called RUMBA. The first step +will be to issue this command from your favourite shell:</P +><P +><PRE +CLASS="SCREEN" +> <SAMP +CLASS="PROMPT" +>deity#</SAMP +> <KBD +CLASS="USERINPUT" +>smbpasswd -a -i rumba</KBD +> + New SMB password: XXXXXXXX + Retype SMB password: XXXXXXXX + Added user rumba$</PRE +> + +where <VAR +CLASS="PARAMETER" +>-a</VAR +> means to add a new account into the +passdb database and <VAR +CLASS="PARAMETER" +>-i</VAR +> means: ''create this +account with the InterDomain trust flag''</P +><P +>The account name will be 'rumba$' (the name of the remote domain)</P +><P +>After issuing this command you'll be asked to enter the password for +the account. You can use any password you want, but be aware that Windows NT will +not change this password until 7 days following account creation. +After the command returns successfully, you can look at the entry for new account +(in the way depending on your configuration) and see that account's name is +really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm +the trust by establishing it from Windows NT Server.</P +><P +>Open 'User Manager for Domains' and from menu 'Policies' select 'Trust Relationships...'. +Right beside 'Trusted domains' list box press 'Add...' button. You will be prompted for +the trusted domain name and the relationship password. Type in SAMBA, as this is +your domain name, and the password used at the time of account creation. +Press OK and, if everything went without incident, you will see 'Trusted domain relationship +successfully established' message.</P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3481" +>19.3.2. Samba-3 as the Trusted Domain</A +></H2 +><P +>This time activities are somewhat reversed. Again, we'll assume that your domain +controlled by the Samba PDC is called SAMBA and NT-controlled domain is called RUMBA.</P +><P +>The very first thing requirement is to add an account for the SAMBA domain on RUMBA's PDC.</P +><P +>Launch the Domain User Manager, then from the menu select 'Policies', 'Trust Relationships'. +Now, next to 'Trusted Domains' box press the 'Add' button, and type in the name of the trusted +domain (SAMBA) and password securing the relationship.</P +><P +>The password can be arbitrarily chosen. It is easy to change it the password +from Samba server whenever you want. After confirming the password your account is +ready for use. Now it's Samba's turn.</P +><P +>Using your favourite shell while being logged in as root, issue this command:</P +><P +><SAMP +CLASS="PROMPT" +>deity# </SAMP +><KBD +CLASS="USERINPUT" +>net rpc trustdom establish rumba</KBD +></P +><P +>You will be prompted for the password you just typed on your Windows NT4 Server box. +Don not worry if you see an error message that mentions a returned code of +<SPAN +CLASS="ERRORNAME" +>NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT</SPAN +>. It means the +password you gave is correct and the NT4 Server says the account is +ready for interdomain connection and not for ordinary +connection. After that, be patient it can take a while (especially +in large networks), you should see the 'Success' message. Congratulations! Your trust +relationship has just been established.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Note that you have to run this command as root because you must have write access to +the <TT +CLASS="FILENAME" +>secrets.tdb</TT +> file.</P +></TD +></TR +></TABLE +></DIV +></DIV +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="profilemgmt.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="pam.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Desktop Profile Management</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="optional.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>PAM Configuration for Centrally Managed Authentication</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file |