summaryrefslogtreecommitdiff
path: root/docs/htmldocs/interdomaintrusts.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/htmldocs/interdomaintrusts.html')
-rw-r--r--docs/htmldocs/interdomaintrusts.html451
1 files changed, 451 insertions, 0 deletions
diff --git a/docs/htmldocs/interdomaintrusts.html b/docs/htmldocs/interdomaintrusts.html
new file mode 100644
index 0000000000..10efda81a2
--- /dev/null
+++ b/docs/htmldocs/interdomaintrusts.html
@@ -0,0 +1,451 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>Interdomain Trust Relationships</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
+REL="HOME"
+TITLE="SAMBA Project Documentation"
+HREF="samba-howto-collection.html"><LINK
+REL="UP"
+TITLE="Advanced Configuration"
+HREF="optional.html"><LINK
+REL="PREVIOUS"
+TITLE="Desktop Profile Management"
+HREF="profilemgmt.html"><LINK
+REL="NEXT"
+TITLE="PAM Configuration for Centrally Managed Authentication"
+HREF="pam.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>SAMBA Project Documentation</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="profilemgmt.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="pam.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="INTERDOMAINTRUSTS"
+></A
+>Chapter 19. Interdomain Trust Relationships</H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>19.1. <A
+HREF="interdomaintrusts.html#AEN3447"
+>Trust Relationship Background</A
+></DT
+><DT
+>19.2. <A
+HREF="interdomaintrusts.html#AEN3456"
+>Native MS Windows NT4 Trusts Configuration</A
+></DT
+><DD
+><DL
+><DT
+>19.2.1. <A
+HREF="interdomaintrusts.html#AEN3459"
+>NT4 as the Trusting Domain (ie. creating the trusted account)</A
+></DT
+><DT
+>19.2.2. <A
+HREF="interdomaintrusts.html#AEN3462"
+>NT4 as the Trusted Domain (ie. creating trusted account's password)</A
+></DT
+></DL
+></DD
+><DT
+>19.3. <A
+HREF="interdomaintrusts.html#AEN3465"
+>Configuring Samba NT-style Domain Trusts</A
+></DT
+><DD
+><DL
+><DT
+>19.3.1. <A
+HREF="interdomaintrusts.html#AEN3469"
+>Samba-3 as the Trusting Domain</A
+></DT
+><DT
+>19.3.2. <A
+HREF="interdomaintrusts.html#AEN3481"
+>Samba-3 as the Trusted Domain</A
+></DT
+></DL
+></DD
+></DL
+></DIV
+><P
+>Samba-3 supports NT4 style domain trust relationships. This is feature that many sites
+will want to use if they migrate to Samba-3 from and NT4 style domain and do NOT want to
+adopt Active Directory or an LDAP based authentication back end. This section explains
+some background information regarding trust relationships and how to create them. It is now
+possible for Samba-3 to NT4 trust (and vice versa), as well as Samba3 to Samba3 trusts.</P
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN3447"
+>19.1. Trust Relationship Background</A
+></H1
+><P
+>MS Windows NT3.x/4.0 type security domains employ a non-hierarchical security structure.
+The limitations of this architecture as it affects the scalability of MS Windows networking
+in large organisations is well known. Additionally, the flat-name space that results from
+this design significantly impacts the delegation of administrative responsibilities in
+large and diverse organisations.</P
+><P
+>Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means
+of circumventing the limitations of the older technologies. Not every organisation is ready
+or willing to embrace ADS. For small companies the older NT4 style domain security paradigm
+is quite adequate, there thus remains an entrenched user base for whom there is no direct
+desire to go through a disruptive change to adopt ADS.</P
+><P
+>Microsoft introduced with MS Windows NT the ability to allow differing security domains
+to affect a mechanism so that users from one domain may be given access rights and privileges
+in another domain. The language that describes this capability is couched in terms of
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Trusts</I
+></SPAN
+>. Specifically, one domain will <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>trust</I
+></SPAN
+> the users
+from another domain. The domain from which users are available to another security domain is
+said to be a trusted domain. The domain in which those users have assigned rights and privileges
+is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only,
+thus if users in both domains are to have privileges and rights in each others' domain, then it is
+necessary to establish two (2) relationships, one in each direction.</P
+><P
+>In an NT4 style MS security domain, all trusts are non-transitive. This means that if there
+are three (3) domains (let's call them RED, WHITE, and BLUE) where RED and WHITE have a trust
+relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no
+implied trust between the RED and BLUE domains. ie: Relationships are explicit and not
+transitive.</P
+><P
+>New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way
+by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE
+domains above, with Windows 2000 and ADS the RED and BLUE domains CAN trust each other. This is
+an inherent feature of ADS domains. Samba-3 implements MS Windows NT4
+style Interdomain trusts and interoperates with MS Windows 200x ADS
+security domains in similar manner to MS Windows NT4 style domains.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN3456"
+>19.2. Native MS Windows NT4 Trusts Configuration</A
+></H1
+><P
+>There are two steps to creating an interdomain trust relationship.</P
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN3459"
+>19.2.1. NT4 as the Trusting Domain (ie. creating the trusted account)</A
+></H2
+><P
+>For MS Windows NT4, all domain trust relationships are configured using the Domain User Manager.
+To affect a two way trust relationship it is necessary for each domain administrator to make
+available (for use by an external domain) it's security resources. This is done from the Domain
+User Manager Policies entry on the menu bar. From the Policy menu, select Trust Relationships, then
+next to the lower box that is labelled "Permitted to Trust this Domain" are two buttons, "Add" and
+"Remove". The "Add" button will open a panel in which needs to be entered the remote domain that
+will be able to assign user rights to your domain. In addition it is necessary to enter a password
+that is specific to this trust relationship. The password needs to be
+typed twice (for standard confirmation).</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN3462"
+>19.2.2. NT4 as the Trusted Domain (ie. creating trusted account's password)</A
+></H2
+><P
+>A trust relationship will work only when the other (trusting) domain makes the appropriate connections
+with the trusted domain. To consumate the trust relationship the administrator will launch the
+Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the
+"Add" button that is next to the box that is labelled "Trusted Domains". A panel will open in
+which must be entered the name of the remote domain as well as the password assigned to that trust.</P
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN3465"
+>19.3. Configuring Samba NT-style Domain Trusts</A
+></H1
+><P
+>This description is meant to be a fairly short introduction about how to set up a Samba server so
+that it could participate in interdomain trust relationships. Trust relationship support in Samba
+is in its early stage, so lot of things don't work yet.</P
+><P
+>Each of the procedures described below is treated as they were performed with Windows NT4 Server on
+one end. The remote end could just as well be another Samba-3 domain. It can be clearly seen, after
+reading this document, that combining Samba-specific parts of what's written below leads to trust
+between domains in purely Samba environment.</P
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN3469"
+>19.3.1. Samba-3 as the Trusting Domain</A
+></H2
+><P
+>In order to set Samba PDC to be trusted party of the relationship first you need
+to create special account for the domain that will be the trusting party. To do that,
+you can use the 'smbpasswd' utility. Creating the trusted domain account is very
+similiar to creating a trusted machine account. Suppose, your domain is
+called SAMBA, and the remote domain is called RUMBA. The first step
+will be to issue this command from your favourite shell:</P
+><P
+><PRE
+CLASS="SCREEN"
+> &nbsp;<SAMP
+CLASS="PROMPT"
+>deity#</SAMP
+> <KBD
+CLASS="USERINPUT"
+>smbpasswd -a -i rumba</KBD
+>
+ &nbsp; New SMB password: XXXXXXXX
+ &nbsp; Retype SMB password: XXXXXXXX
+ &nbsp; Added user rumba$</PRE
+>
+
+where <VAR
+CLASS="PARAMETER"
+>-a</VAR
+> means to add a new account into the
+passdb database and <VAR
+CLASS="PARAMETER"
+>-i</VAR
+> means: ''create this
+account with the InterDomain trust flag''</P
+><P
+>The account name will be 'rumba$' (the name of the remote domain)</P
+><P
+>After issuing this command you'll be asked to enter the password for
+the account. You can use any password you want, but be aware that Windows NT will
+not change this password until 7 days following account creation.
+After the command returns successfully, you can look at the entry for new account
+(in the way depending on your configuration) and see that account's name is
+really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm
+the trust by establishing it from Windows NT Server.</P
+><P
+>Open 'User Manager for Domains' and from menu 'Policies' select 'Trust Relationships...'.
+Right beside 'Trusted domains' list box press 'Add...' button. You will be prompted for
+the trusted domain name and the relationship password. Type in SAMBA, as this is
+your domain name, and the password used at the time of account creation.
+Press OK and, if everything went without incident, you will see 'Trusted domain relationship
+successfully established' message.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN3481"
+>19.3.2. Samba-3 as the Trusted Domain</A
+></H2
+><P
+>This time activities are somewhat reversed. Again, we'll assume that your domain
+controlled by the Samba PDC is called SAMBA and NT-controlled domain is called RUMBA.</P
+><P
+>The very first thing requirement is to add an account for the SAMBA domain on RUMBA's PDC.</P
+><P
+>Launch the Domain User Manager, then from the menu select 'Policies', 'Trust Relationships'.
+Now, next to 'Trusted Domains' box press the 'Add' button, and type in the name of the trusted
+domain (SAMBA) and password securing the relationship.</P
+><P
+>The password can be arbitrarily chosen. It is easy to change it the password
+from Samba server whenever you want. After confirming the password your account is
+ready for use. Now it's Samba's turn.</P
+><P
+>Using your favourite shell while being logged in as root, issue this command:</P
+><P
+><SAMP
+CLASS="PROMPT"
+>deity# </SAMP
+><KBD
+CLASS="USERINPUT"
+>net rpc trustdom establish rumba</KBD
+></P
+><P
+>You will be prompted for the password you just typed on your Windows NT4 Server box.
+Don not worry if you see an error message that mentions a returned code of
+<SPAN
+CLASS="ERRORNAME"
+>NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT</SPAN
+>. It means the
+password you gave is correct and the NT4 Server says the account is
+ready for interdomain connection and not for ordinary
+connection. After that, be patient it can take a while (especially
+in large networks), you should see the 'Success' message. Congratulations! Your trust
+relationship has just been established.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>Note that you have to run this command as root because you must have write access to
+the <TT
+CLASS="FILENAME"
+>secrets.tdb</TT
+> file.</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="profilemgmt.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="samba-howto-collection.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="pam.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Desktop Profile Management</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="optional.html"
+ACCESSKEY="U"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>PAM Configuration for Centrally Managed Authentication</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+> \ No newline at end of file