&author.jht;
&author.mimir;
&person.jelmer;drawingStephenLangasekvorlon@netexpress.netApril 3, 2003Interdomain Trust RelationshipsInterdomain TrustsLDAPtrustssamba-to-samba trustsActive DirectoryNT4-style domaintrust relationshipsADSLDAP-based
Samba-3 supports NT4-style domain trust relationships. This is a feature that many sites
will want to use if they migrate to Samba-3 from an NT4-style domain and do not want to
adopt Active Directory or an LDAP-based authentication backend. This chapter explains
some background information regarding trust relationships and how to create them. It is now
possible for Samba-3 to trust NT4 (and vice versa), as well as to create Samba-to-Samba
trusts.
winbindUID rangeGID rangedaemonwinbindd
The use of interdomain trusts requires use of winbind, so the
winbindd daemon must be running. Winbind operation in this mode is
dependent on the specification of a valid UID range and a valid GID range in the &smb.conf; file.
These are specified respectively using:
10000-2000010000-20000passdb backendPOSIX user accountsmaximum value4294967295
The range of values specified must not overlap values used by the host operating system and must
not overlap values used in the passdb backend for POSIX user accounts. The maximum value is
limited by the upper-most value permitted by the host operating system. This is a UNIX kernel
limited parameter. Linux kernel 2.6-based systems support a maximum value of 4294967295
(32-bit unsigned variable).
winbindtrusting domaintrusted domain
The use of winbind is necessary only when Samba is the trusting domain, not when it is the
trusted domain.
Features and Benefitsscalabilitytrust relationships
Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4-style
trust relationships. This imparts to Samba scalability similar to that with MS Windows NT4.
scalable backendauthentication databaseLDAPinterdomain trustsADS
Given that Samba-3 can function with a scalable backend authentication database such as LDAP, and given its
ability to run in primary as well as backup domain control modes, the administrator would be well-advised to
consider alternatives to the use of interdomain trusts simply because, by the very nature of how trusts
function, this system is fragile. That was, after all, a key reason for the development and adoption of
Microsoft Active Directory.
Trust Relationship Backgroundsecurity domainsnonhierarchicalsecurity structurelarge organizationsdelegationadministrative responsibilities
MS Windows NT3/4-type security domains employ a nonhierarchical security structure.
The limitations of this architecture as it effects the scalability of MS Windows networking
in large organizations is well known. Additionally, the flat namespace that results from
this design significantly impacts the delegation of administrative responsibilities in
large and diverse organizations.
ADSKerberosLDAPlimitationsdomain security
Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means
of circumventing the limitations of the older technologies. Not every organization is ready
or willing to embrace ADS. For small companies the older NT4-style domain security paradigm
is quite adequate, and so there remains an entrenched user base for whom there is no direct
desire to go through a disruptive change to adopt ADS.
security domainsaccess rightsprivilegestruststrusted domaintrusting domainone direction
With Windows NT, Microsoft introduced the ability to allow different security domains
to effect a mechanism so users from one domain may be given access rights and privileges
in another domain. The language that describes this capability is couched in terms of
trusts. Specifically, one domain will trust the users
from another domain. The domain from which users can access another security domain is
said to be a trusted domain. The domain in which those users have assigned rights and privileges
is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only,
so if users in both domains are to have privileges and rights in each others' domain, then it is
necessary to establish two relationships, one in each direction.
security domainnontransitivetrust relationshiptransitiveexplicit trust
Further, in an NT4-style MS security domain, all trusts are nontransitive. This means that if there are three
domains (let's call them red, white, and blue), where red and white have a trust relationship, and white and
blue have a trust relationship, then it holds that there is no implied trust between the red and blue domains.
Relationships are explicit and not transitive.
ADSsecurity contextstrust relationshipstwo-way trustWindows 2000security domainsNT4-style domains
New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way by default.
Also, all inter-ADS domain trusts are transitive. In the case of the red, white, and blue domains, with
Windows 2000 and ADS, the red and blue domains can trust each other. This is an inherent feature of ADS
domains. Samba-3 implements MS Windows NT4-style interdomain trusts and interoperates with MS Windows 200x ADS
security domains in similar manner to MS Windows NT4-style domains.
Native MS Windows NT4 Trusts ConfigurationInterdomain Trustscreatingtwo-way trustsecurity credentials
There are two steps to creating an interdomain trust relationship. To effect a two-way trust
relationship, it is necessary for each domain administrator to create a trust account for the
other domain to use in verifying security credentials.
Creating an NT4 Domain Trustdomain trusttrust relationships>Domain User Managerremote domainstandard confirmation
For MS Windows NT4, all domain trust relationships are configured using the
Domain User Manager. This is done from the Domain User Manager Policies
entry on the menu bar. From the Policy menu, select
Trust Relationships. Next to the lower box labeled
Permitted to Trust this Domain are two buttons, Add
and Remove. The Add button will open a panel in which
to enter the name of the remote domain that will be able to assign access rights to users in
your domain. You will also need to enter a password for this trust relationship, which the
trusting domain will use when authenticating users from the trusted domain.
The password needs to be typed twice (for standard confirmation).
Completing an NT4 Domain Trusttrust relationshiptrusting domaintrusted domainremote domainpassword assignedInterdomain TrustsCompleting
A trust relationship will work only when the other (trusting) domain makes the appropriate connections
with the trusted domain. To consummate the trust relationship, the administrator launches the
Domain User Manager from the menu selects Policies, then select
Trust Relationships, and clicks on the Add button
next to the box that is labeled Trusted Domains. A panel opens in which
must be entered the name of the remote domain as well as the password assigned to that trust.
Interdomain Trust Facilitiestwo-way trusttrust relationshiptrust establishedone-way trustWindows NT4 domainsInterdomain TrustsFacilities
A two-way trust relationship is created when two one-way trusts are created, one in each direction.
Where a one-way trust has been established between two MS Windows NT4 domains (let's call them
DomA and DomB), the following facilities are created:
DomA (completes the trust connection) Trusts DomB.
DomA is the Trusting domain.
DomB is the Trusted domain (originates the trust account).
Users in DomB can access resources in DomA.
Users in DomA cannot access resources in DomB.
Global groups from DomB can be used in DomA.
Global groups from DomA cannot be used in DomB.
DomB does appear in the logon dialog box on client workstations in DomA.
DomA does not appear in the logon dialog box on client workstations in DomB.
Users and groups in a trusting domain cannot be granted rights, permissions, or access
to a trusted domain.
The trusting domain can access and use accounts (users/global groups) in the
trusted domain.
Administrators of the trusted domain can be granted administrative rights in the
trusting domain.
Users in a trusted domain can be given rights and privileges in the trusting
domain.
Trusted domain global groups can be given rights and permissions in the trusting
domain.
Global groups from the trusted domain can be made members in local groups on
MS Windows domain member machines.
Configuring Samba NT-Style Domain Trustsinterdomain trust
This description is meant to be a fairly short introduction about how to set up a Samba server so
that it can participate in interdomain trust relationships. Trust relationship support in Samba
is at an early stage, so do not be surprised if something does not function as it should.
peer domaintrust relationshipWindows NT4 Serverbetween domains
Each of the procedures described next assumes the peer domain in the trust relationship is controlled by a
Windows NT4 server. However, the remote end could just as well be another Samba-3 domain. It can be clearly
seen, after reading this document, that combining Samba-specific parts of what's written in the following
sections leads to trust between domains in a purely Samba environment.
Samba as the Trusted Domaintrusted partyspecial accounttrusting partyPDCsmbpasswd
In order to set the Samba PDC to be the trusted party of the relationship, you first need
to create a special account for the domain that will be the trusting party. To do that,
you can use the smbpasswd utility. Creating the trusted domain account is
similar to creating a trusted machine account. Suppose, your domain is
called SAMBA, and the remote domain is called RUMBA. The first step
will be to issue this command from your favorite shell:
&rootprompt; smbpasswd -a -i rumba
New SMB password: XXXXXXXX
Retype SMB password: XXXXXXXX
Added user rumba$
where means to add a new account into the
passdb database and means to create this
account with the Interdomain trust flag.
account nameremote domainpassword database/etc/passwd
The account name will be rumba$ (the name of the remote domain).
If this fails, you should check that the trust account has been added to the system
password database (/etc/passwd). If it has not been added, you
can add it manually and then repeat the previous step.
passwordnew accountconfirm the trustWindows NT Server
After issuing this command, you will be asked to enter the password for the account. You can use any password
you want, but be aware that Windows NT will not change this password until 7 days following account creation.
After the command returns successfully, you can look at the entry for the new account (in the standard way as
appropriate for your configuration) and see that the account's name is really RUMBA$ and it has the
I flag set in the flags field. Now you are ready to confirm the trust by establishing it from
Windows NT Server.
User Managertrusted domain namerelationship passwordremote domainestablished
Open User Manager for Domains and from the Policies menu, select
Trust Relationships.... Beside the Trusted domains list box,
click the Add... button. You will be prompted for the trusted domain name and the
relationship password. Type in SAMBA, as this is the name of the remote domain and the password used at the
time of account creation. Click on OK and, if everything went without incident, you
will see the Trusted domain relationship successfully established message.
Samba as the Trusting DomainNT-controlled domainPDC
This time activities are somewhat reversed. Again, we'll assume that your domain
controlled by the Samba PDC is called SAMBA and the NT-controlled domain is called RUMBA.
The very first step is to add an account for the SAMBA domain on RUMBA's PDC.
User Managertrusted domainpassword
Launch the Domain User Manager, then from the menu select
Policies, Trust Relationships.
Now, next to the Trusted Domains box, press the Add
button and type in the name of the trusted domain (SAMBA) and the password to use in securing
the relationship.
passwordconfirm the password
The password can be arbitrarily chosen. It is easy to change the password from the Samba server whenever you
want. After you confirm the password, your account is ready for use. Now its Samba's turn.
Using your favorite shell while logged in as root, issue this command:
netrpctrustdom establish
&rootprompt;net rpc trustdom establish rumbapasswordinterdomain connectionordinary connection
You will be prompted for the password you just typed on your Windows NT4 Server box.
An error message, "NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT,"
that may be reported periodically is of no concern and may safely be ignored.
It means the password you gave is correct and the NT4 server says the account is ready for
interdomain connection and not for ordinary connection. After that, be patient;
it can take a while (especially in large networks), but eventually you should see
the Success message. Congratulations! Your trust
relationship has just been established.
You have to run this command as root because you must have write access to
the secrets.tdb file.
NT4-Style Domain Trusts with Windows 2000trust relationshipWindows 2000 serverNT4-stylemixed mode
Although Domain User Manager is not present in Windows 2000, it is
also possible to establish an NT4-style trust relationship with a Windows 2000 domain
controller running in mixed mode as the trusting server. It should also be possible for
Samba to trust a Windows 2000 server; however, more testing is still needed in this area.
interdomain trusttrust accountnot transitiveADS
After creating the interdomain trust account on the Samba server
as described previously, open Active Directory Domains and Trusts on the AD
controller of the domain whose resources you wish Samba users to have access to. Remember that since NT4-style
trusts are not transitive, if you want your users to have access to multiple mixed-mode domains in your AD
forest, you will need to repeat this process for each of those domains. With Active Directory
domains and trusts open, right-click on the name of the Active Directory domain that will trust
our Samba domain and choose Properties, then click on the
Trusts tab. In the upper part of the panel, you will see a list box labeled
Domains trusted by this domain: and an Add... button next to it.
Press this button and, just as with NT4, you will be prompted for the trusted domain name and the relationship
password. Press OK and after a moment, Active Directory will respond with
The trusted domain has been added and the trust has been verified. Your
Samba users can now be granted access to resources in the AD domain.
Common Errors
Interdomain trust relationships should not be attempted on networks that are unstable
or that suffer regular outages. Network stability and integrity are key concerns with
distributed trusted domains.
Browsing of Trusted Domain FailsBrowsing from a machine in a trusted Windows 200x domain to a Windows 200x member of
a trusting Samba domain, I get the following error:
The system detected a possible attempt to compromise security. Please
ensure that you can contact the server that authenticated you.
The event logs on the box I'm trying to connect to have entries regarding group
policy not being applied because it is a member of a down-level domain.If there is a computer account in the Windows
200x domain for the machine in question, and it is disabled, this problem can
occur. If there is no computer account (removed or never existed), or if that
account is still intact (i.e., you just joined it to another domain), everything
seems to be fine. By default, when you unjoin a domain (the Windows 200x
domain), the computer tries to automatically disable the computer account in
the domain. If you are running as an account that has privileges to do this
when you unjoin the machine, it is done; otherwise it is not done.
Problems with LDAP ldapsam and Older Versions of smbldap-tools
If you use the smbldap-useradd script to create a trust
account to set up interdomain trusts, the process of setting up the trust will
fail. The account that was created in the LDAP database will have an account
flags field that has [W ], when it must have
[I ] for interdomain trusts to work.
Here is a simple solution.
Create a machine account as follows:
&rootprompt; smbldap-useradd -w domain_name
Then set the desired trust account password as shown here:
&rootprompt; smbldap-passwd domain_name\$
Using a text editor, create the following file:
dn: uid=domain_name$,ou=People,dc={your-domain},dc={your-top-level-domain}
changetype: modify
sambaAcctFlags: [I ]
Then apply the text file to the LDAP database as follows:
&rootprompt; ldapmodify -x -h localhost \
-D "cn=Manager,dc={your-domain},dc={your-top-level-domain}" \
-W -f /path-to/foobar
Create a single-sided trust under the NT4 Domain User Manager, then execute:
&rootprompt; net rpc trustdom establish domain_name
It works with Samba-3 and NT4 domains, and also with Samba-3 and Windows 200x ADS in mixed mode.
Both domain controllers, Samba and NT must have the same WINS server; otherwise,
the trust will never work.