Chapter 16. Interdomain Trust Relationships

-Samba-3 supports NT4 style domain trust relationships. This is feature that many sites -will want to use if they migrate to Samba-3 from and NT4 style domain and do NOT want to -adopt Active Directory or an LDAP based authentication back end. This section explains -some background information regarding trust relationships and how to create them. It is now -possible for Samba-3 to NT4 trust (and vice versa), as well as Samba3 to Samba3 trusts. -

Features and Benefits

-Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4 style -trust relationships. This imparts to Samba similar scalability as is possible with -MS Windows NT4. -

-Given that Samba-3 has the capability to function with a scalable backend authentication -database such as LDAP, and given it's ability to run in Primary as well as Backup Domain control -modes, the administrator would be well advised to consider alternatives to the use of -Interdomain trusts simply because by the very nature of how this works it is fragile. -That was, after all, a key reason for the development and adoption of Microsoft Active Directory. -

Trust Relationship Background

-MS Windows NT3.x/4.0 type security domains employ a non-hierarchical security structure. -The limitations of this architecture as it affects the scalability of MS Windows networking -in large organisations is well known. Additionally, the flat-name space that results from -this design significantly impacts the delegation of administrative responsibilities in -large and diverse organisations. -

-Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means -of circumventing the limitations of the older technologies. Not every organisation is ready -or willing to embrace ADS. For small companies the older NT4 style domain security paradigm -is quite adequate, there thus remains an entrenched user base for whom there is no direct -desire to go through a disruptive change to adopt ADS. -

-Microsoft introduced with MS Windows NT the ability to allow differing security domains -to affect a mechanism so that users from one domain may be given access rights and privileges -in another domain. The language that describes this capability is couched in terms of -Trusts. Specifically, one domain will trust the users -from another domain. The domain from which users are available to another security domain is -said to be a trusted domain. The domain in which those users have assigned rights and privileges -is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only, -thus if users in both domains are to have privileges and rights in each others' domain, then it is -necessary to establish two (2) relationships, one in each direction. -

-In an NT4 style MS security domain, all trusts are non-transitive. This means that if there -are three (3) domains (let's call them RED, WHITE, and BLUE) where RED and WHITE have a trust -relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no -implied trust between the RED and BLUE domains. ie: Relationships are explicit and not -transitive. -

-New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way -by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE -domains above, with Windows 2000 and ADS the RED and BLUE domains CAN trust each other. This is -an inherent feature of ADS domains. Samba-3 implements MS Windows NT4 -style Interdomain trusts and interoperates with MS Windows 200x ADS -security domains in similar manner to MS Windows NT4 style domains. -

Native MS Windows NT4 Trusts Configuration

-There are two steps to creating an interdomain trust relationship. -

NT4 as the Trusting Domain (ie. creating the trusted account)

-For MS Windows NT4, all domain trust relationships are configured using the -Domain User Manager. To affect a two way trust relationship it is -necessary for each domain administrator to make available (for use by an external domain) it's -security resources. This is done from the Domain User Manager Policies entry on the menu bar. -From the Policy menu, select Trust Relationships, then -next to the lower box that is labelled Permitted to Trust this Domain are two -buttons, Add and Remove. The Add -button will open a panel in which needs to be entered the remote domain that will be able to assign -user rights to your domain. In addition it is necessary to enter a password -that is specific to this trust relationship. The password needs to be -typed twice (for standard confirmation). -

NT4 as the Trusted Domain (ie. creating trusted account's password)

-A trust relationship will work only when the other (trusting) domain makes the appropriate connections -with the trusted domain. To consummate the trust relationship the administrator will launch the -Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the -Add button that is next to the box that is labelled -Trusted Domains. A panel will open in which must be entered the name of the remote -domain as well as the password assigned to that trust. -

Configuring Samba NT-style Domain Trusts

-This description is meant to be a fairly short introduction about how to set up a Samba server so -that it could participate in interdomain trust relationships. Trust relationship support in Samba -is in its early stage, so lot of things don't work yet. -

-Each of the procedures described below is treated as they were performed with Windows NT4 Server on -one end. The remote end could just as well be another Samba-3 domain. It can be clearly seen, after -reading this document, that combining Samba-specific parts of what's written below leads to trust -between domains in purely Samba environment. -

Samba-3 as the Trusting Domain

-In order to set the Samba PDC to be the trusted party of the relationship first you need -to create special account for the domain that will be the trusting party. To do that, -you can use the 'smbpasswd' utility. Creating the trusted domain account is very -similar to creating a trusted machine account. Suppose, your domain is -called SAMBA, and the remote domain is called RUMBA. The first step -will be to issue this command from your favourite shell: -

-root#  smbpasswd -a -i rumba
-	New SMB password: XXXXXXXX
-	Retype SMB password: XXXXXXXX
-	Added user rumba$
-

- -where -a means to add a new account into the -passdb database and -i means: ''create this -account with the InterDomain trust flag'' -

-The account name will be 'rumba$' (the name of the remote domain) -

-After issuing this command you'll be asked to enter the password for -the account. You can use any password you want, but be aware that Windows NT will -not change this password until 7 days following account creation. -After the command returns successfully, you can look at the entry for the new account -(in the standard way depending on your configuration) and see that account's name is -really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm -the trust by establishing it from Windows NT Server. -

-Open User Manager for Domains and from menu -Policies select Trust Relationships.... -Right beside Trusted domains list box press the -Add... button. You will be prompted for -the trusted domain name and the relationship password. Type in SAMBA, as this is -your domain name, and the password used at the time of account creation. -Press OK and, if everything went without incident, you will see -Trusted domain relationship successfully -established message. -

Samba-3 as the Trusted Domain

-This time activities are somewhat reversed. Again, we'll assume that your domain -controlled by the Samba PDC is called SAMBA and NT-controlled domain is called RUMBA. -

-The very first thing requirement is to add an account for the SAMBA domain on RUMBA's PDC. -

-Launch the Domain User Manager, then from the menu select -Policies, Trust Relationships. -Now, next to Trusted Domains box press the Add -button, and type in the name of the trusted domain (SAMBA) and password securing -the relationship. -

-The password can be arbitrarily chosen. It is easy to change the password -from the Samba server whenever you want. After confirming the password your account is -ready for use. Now it's Samba's turn. -

-Using your favourite shell while being logged in as root, issue this command: -

-root# net rpc trustdom establish rumba -

-You will be prompted for the password you just typed on your Windows NT4 Server box. -Do not worry if you see an error message that mentions a returned code of -NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT. It means the -password you gave is correct and the NT4 Server says the account is -ready for interdomain connection and not for ordinary -connection. After that, be patient it can take a while (especially -in large networks), you should see the Success message. -Congratulations! Your trust relationship has just been established. -

Note

-Note that you have to run this command as root because you must have write access to -the secrets.tdb file. -

Common Errors

-Interdomain trust relationships should NOT be attempted on networks that are unstable -or that suffer regular outages. Network stability and integrity are key concerns with -distributed trusted domains. -

Tell me about Trust Relationships using Samba

- Like many, I administer multiple LANs connected together using NT trust - relationships. This was implemented about 4 years ago. I now have the - occasion to consider performing this same task again, but this time, I - would like to implement it solely through samba - no Microsoft PDCs - anywhere. -

- I have read documentation on samba.org regarding NT-style trust - relationships and am now wondering, can I do what I want to? I already - have successfully implemented 2 samba servers, but they are not PDCs. - They merely act as file servers. I seem to remember, and it appears to - be true (according to samba.org) that trust relationships are a - challenge. -

- Please provide any helpful feedback that you may have. -

- These are almost complete in Samba 3.0 snapshots. The main catch - is getting winbindd to be able to allocate UID/GIDs for trusted - users/groups. See the updated Samba HOWTO collection for more - details. -

Prev	Up	Next
Chapter 15. Securing Samba	Home	Chapter 17. Hosting a Microsoft Distributed File System tree on Samba