diff options
Diffstat (limited to 'docs/htmldocs/interdomaintrusts.html')
| -rw-r--r-- | docs/htmldocs/interdomaintrusts.html | 451 |
1 files changed, 0 insertions, 451 deletions
diff --git a/docs/htmldocs/interdomaintrusts.html b/docs/htmldocs/interdomaintrusts.html deleted file mode 100644 index c9fe4a533f..0000000000 --- a/docs/htmldocs/interdomaintrusts.html +++ /dev/null @@ -1,451 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->Interdomain Trust Relationships</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK -REL="HOME" -TITLE="SAMBA Project Documentation" -HREF="samba-howto-collection.html"><LINK -REL="UP" -TITLE="Advanced Configuration" -HREF="optional.html"><LINK -REL="PREVIOUS" -TITLE="Desktop Profile Management" -HREF="profilemgmt.html"><LINK -REL="NEXT" -TITLE="PAM Configuration for Centrally Managed Authentication" -HREF="pam.html"></HEAD -><BODY -CLASS="CHAPTER" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="NAVHEADER" -><TABLE -SUMMARY="Header navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TH -COLSPAN="3" -ALIGN="center" ->SAMBA Project Documentation</TH -></TR -><TR -><TD -WIDTH="10%" -ALIGN="left" -VALIGN="bottom" -><A -HREF="profilemgmt.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="80%" -ALIGN="center" -VALIGN="bottom" -></TD -><TD -WIDTH="10%" -ALIGN="right" -VALIGN="bottom" -><A -HREF="pam.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -></TABLE -><HR -ALIGN="LEFT" -WIDTH="100%"></DIV -><DIV -CLASS="CHAPTER" -><H1 -><A -NAME="INTERDOMAINTRUSTS" -></A ->Chapter 19. Interdomain Trust Relationships</H1 -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->19.1. <A -HREF="interdomaintrusts.html#AEN3446" ->Trust Relationship Background</A -></DT -><DT ->19.2. <A -HREF="interdomaintrusts.html#AEN3455" ->Native MS Windows NT4 Trusts Configuration</A -></DT -><DD -><DL -><DT ->19.2.1. <A -HREF="interdomaintrusts.html#AEN3458" ->NT4 as the Trusting Domain (ie. creating the trusted account)</A -></DT -><DT ->19.2.2. <A -HREF="interdomaintrusts.html#AEN3461" ->NT4 as the Trusted Domain (ie. creating trusted account's password)</A -></DT -></DL -></DD -><DT ->19.3. <A -HREF="interdomaintrusts.html#AEN3464" ->Configuring Samba NT-style Domain Trusts</A -></DT -><DD -><DL -><DT ->19.3.1. <A -HREF="interdomaintrusts.html#AEN3468" ->Samba-3 as the Trusting Domain</A -></DT -><DT ->19.3.2. <A -HREF="interdomaintrusts.html#AEN3480" ->Samba-3 as the Trusted Domain</A -></DT -></DL -></DD -></DL -></DIV -><P ->Samba-3 supports NT4 style domain trust relationships. This is feature that many sites -will want to use if they migrate to Samba-3 from and NT4 style domain and do NOT want to -adopt Active Directory or an LDAP based authentication back end. This section explains -some background information regarding trust relationships and how to create them. It is now -possible for Samba-3 to NT4 trust (and vice versa), as well as Samba3 to Samba3 trusts.</P -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN3446" ->19.1. Trust Relationship Background</A -></H1 -><P ->MS Windows NT3.x/4.0 type security domains employ a non-hierarchical security structure. -The limitations of this architecture as it affects the scalability of MS Windows networking -in large organisations is well known. Additionally, the flat-name space that results from -this design significantly impacts the delegation of administrative responsibilities in -large and diverse organisations.</P -><P ->Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means -of circumventing the limitations of the older technologies. Not every organisation is ready -or willing to embrace ADS. For small companies the older NT4 style domain security paradigm -is quite adequate, there thus remains an entrenched user base for whom there is no direct -desire to go through a disruptive change to adopt ADS.</P -><P ->Microsoft introduced with MS Windows NT the ability to allow differing security domains -to affect a mechanism so that users from one domain may be given access rights and privileges -in another domain. The language that describes this capability is couched in terms of -<SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Trusts</I -></SPAN ->. Specifically, one domain will <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->trust</I -></SPAN -> the users -from another domain. The domain from which users are available to another security domain is -said to be a trusted domain. The domain in which those users have assigned rights and privileges -is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only, -thus if users in both domains are to have privileges and rights in each others' domain, then it is -necessary to establish two (2) relationships, one in each direction.</P -><P ->In an NT4 style MS security domain, all trusts are non-transitive. This means that if there -are three (3) domains (let's call them RED, WHITE, and BLUE) where RED and WHITE have a trust -relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no -implied trust between the RED and BLUE domains. ie: Relationships are explicit and not -transitive.</P -><P ->New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way -by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE -domains above, with Windows 2000 and ADS the RED and BLUE domains CAN trust each other. This is -an inherent feature of ADS domains. Samba-3 implements MS Windows NT4 -style Interdomain trusts and interoperates with MS Windows 200x ADS -security domains in similar manner to MS Windows NT4 style domains.</P -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN3455" ->19.2. Native MS Windows NT4 Trusts Configuration</A -></H1 -><P ->There are two steps to creating an interdomain trust relationship.</P -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN3458" ->19.2.1. NT4 as the Trusting Domain (ie. creating the trusted account)</A -></H2 -><P ->For MS Windows NT4, all domain trust relationships are configured using the Domain User Manager. -To affect a two way trust relationship it is necessary for each domain administrator to make -available (for use by an external domain) it's security resources. This is done from the Domain -User Manager Policies entry on the menu bar. From the Policy menu, select Trust Relationships, then -next to the lower box that is labelled "Permitted to Trust this Domain" are two buttons, "Add" and -"Remove". The "Add" button will open a panel in which needs to be entered the remote domain that -will be able to assign user rights to your domain. In addition it is necessary to enter a password -that is specific to this trust relationship. The password needs to be -typed twice (for standard confirmation).</P -></DIV -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN3461" ->19.2.2. NT4 as the Trusted Domain (ie. creating trusted account's password)</A -></H2 -><P ->A trust relationship will work only when the other (trusting) domain makes the appropriate connections -with the trusted domain. To consumate the trust relationship the administrator will launch the -Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the -"Add" button that is next to the box that is labelled "Trusted Domains". A panel will open in -which must be entered the name of the remote domain as well as the password assigned to that trust.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN3464" ->19.3. Configuring Samba NT-style Domain Trusts</A -></H1 -><P ->This description is meant to be a fairly short introduction about how to set up a Samba server so -that it could participate in interdomain trust relationships. Trust relationship support in Samba -is in its early stage, so lot of things don't work yet.</P -><P ->Each of the procedures described below is treated as they were performed with Windows NT4 Server on -one end. The remote end could just as well be another Samba-3 domain. It can be clearly seen, after -reading this document, that combining Samba-specific parts of what's written below leads to trust -between domains in purely Samba environment.</P -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN3468" ->19.3.1. Samba-3 as the Trusting Domain</A -></H2 -><P ->In order to set Samba PDC to be trusted party of the relationship first you need -to create special account for the domain that will be the trusting party. To do that, -you can use the 'smbpasswd' utility. Creating the trusted domain account is very -similiar to creating a trusted machine account. Suppose, your domain is -called SAMBA, and the remote domain is called RUMBA. The first step -will be to issue this command from your favourite shell:</P -><P -><PRE -CLASS="SCREEN" -> <SAMP -CLASS="PROMPT" ->deity#</SAMP -> <KBD -CLASS="USERINPUT" ->smbpasswd -a -i rumba</KBD -> - New SMB password: XXXXXXXX - Retype SMB password: XXXXXXXX - Added user rumba$</PRE -> - -where <VAR -CLASS="PARAMETER" ->-a</VAR -> means to add a new account into the -passdb database and <VAR -CLASS="PARAMETER" ->-i</VAR -> means: ''create this -account with the InterDomain trust flag''</P -><P ->The account name will be 'rumba$' (the name of the remote domain)</P -><P ->After issuing this command you'll be asked to enter the password for -the account. You can use any password you want, but be aware that Windows NT will -not change this password until 7 days following account creation. -After the command returns successfully, you can look at the entry for new account -(in the way depending on your configuration) and see that account's name is -really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm -the trust by establishing it from Windows NT Server.</P -><P ->Open 'User Manager for Domains' and from menu 'Policies' select 'Trust Relationships...'. -Right beside 'Trusted domains' list box press 'Add...' button. You will be prompted for -the trusted domain name and the relationship password. Type in SAMBA, as this is -your domain name, and the password used at the time of account creation. -Press OK and, if everything went without incident, you will see 'Trusted domain relationship -successfully established' message.</P -></DIV -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN3480" ->19.3.2. Samba-3 as the Trusted Domain</A -></H2 -><P ->This time activities are somewhat reversed. Again, we'll assume that your domain -controlled by the Samba PDC is called SAMBA and NT-controlled domain is called RUMBA.</P -><P ->The very first thing requirement is to add an account for the SAMBA domain on RUMBA's PDC.</P -><P ->Launch the Domain User Manager, then from the menu select 'Policies', 'Trust Relationships'. -Now, next to 'Trusted Domains' box press the 'Add' button, and type in the name of the trusted -domain (SAMBA) and password securing the relationship.</P -><P ->The password can be arbitrarily chosen. It is easy to change it the password -from Samba server whenever you want. After confirming the password your account is -ready for use. Now it's Samba's turn.</P -><P ->Using your favourite shell while being logged in as root, issue this command:</P -><P -><SAMP -CLASS="PROMPT" ->deity# </SAMP -><KBD -CLASS="USERINPUT" ->net rpc trustdom establish rumba</KBD -></P -><P ->You will be prompted for the password you just typed on your Windows NT4 Server box. -Don not worry if you see an error message that mentions a returned code of -<SPAN -CLASS="ERRORNAME" ->NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT</SPAN ->. It means the -password you gave is correct and the NT4 Server says the account is -ready for interdomain connection and not for ordinary -connection. After that, be patient it can take a while (especially -in large networks), you should see the 'Success' message. Congratulations! Your trust -relationship has just been established.</P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->Note that you have to run this command as root because you must have write access to -the <TT -CLASS="FILENAME" ->secrets.tdb</TT -> file.</P -></TD -></TR -></TABLE -></DIV -></DIV -></DIV -></DIV -><DIV -CLASS="NAVFOOTER" -><HR -ALIGN="LEFT" -WIDTH="100%"><TABLE -SUMMARY="Footer navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><A -HREF="profilemgmt.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="samba-howto-collection.html" -ACCESSKEY="H" ->Home</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -><A -HREF="pam.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" ->Desktop Profile Management</TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="optional.html" -ACCESSKEY="U" ->Up</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" ->PAM Configuration for Centrally Managed Authentication</TD -></TR -></TABLE -></DIV -></BODY -></HTML ->
\ No newline at end of file |