Ignore:
Timestamp:
Jun 17, 2009, 2:19:52 PM (16 years ago)
Author:
Herwig Bauernfeind
Message:

Update 3.3 branch to 3.3.5

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/samba-3.3.x/docs/htmldocs/Samba3-HOWTO/InterdomainTrusts.html

    r218 r274  
    1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 19. Interdomain Trust Relationships</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="securing-samba.html" title="Chapter 18. Securing Samba"><link rel="next" href="msdfs.html" title="Chapter 20. Hosting a Microsoft Distributed File System Tree"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 19. Interdomain Trust Relationships</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 19. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="orgname">Samba Team</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mimir@samba.org">mimir@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="orgname">The Samba Team</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="InterdomainTrusts.html#id2619694">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id2619766">Trust Relationship Background</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id2620044">Native MS Windows NT4 Trusts Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id2620080">Creating an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id2620177">Completing an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id2620262">Interdomain Trust Facilities</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id2620471">Configuring Samba NT-Style Domain Trusts</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id2620820">Samba as the Trusting Domain</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id2621016">NT4-Style Domain Trusts with Windows 2000</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id2621165">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id2621178">Browsing of Trusted Domain Fails</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id2621224">Problems with LDAP ldapsam and Older Versions of smbldap-tools</a></span></dt></dl></dd></dl></div><p>
    2 <a class="indexterm" name="id2619474"></a>
    3 <a class="indexterm" name="id2619481"></a>
    4 <a class="indexterm" name="id2619488"></a>
    5 <a class="indexterm" name="id2619495"></a>
    6 <a class="indexterm" name="id2619502"></a>
    7 <a class="indexterm" name="id2619509"></a>
    8 <a class="indexterm" name="id2619516"></a>
    9 <a class="indexterm" name="id2619522"></a>
    10 <a class="indexterm" name="id2619529"></a>
     1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 19. Interdomain Trust Relationships</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.3.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="securing-samba.html" title="Chapter 18. Securing Samba"><link rel="next" href="msdfs.html" title="Chapter 20. Hosting a Microsoft Distributed File System Tree"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 19. Interdomain Trust Relationships</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 19. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="orgname">Samba Team</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mimir@samba.org">mimir@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="orgname">The Samba Team</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="InterdomainTrusts.html#id2619747">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id2619819">Trust Relationship Background</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id2620105">Native MS Windows NT4 Trusts Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id2620141">Creating an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id2620238">Completing an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id2620323">Interdomain Trust Facilities</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id2620532">Configuring Samba NT-Style Domain Trusts</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id2620873">Samba as the Trusting Domain</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id2621070">NT4-Style Domain Trusts with Windows 2000</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id2621219">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id2621231">Browsing of Trusted Domain Fails</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id2621277">Problems with LDAP ldapsam and Older Versions of smbldap-tools</a></span></dt></dl></dd></dl></div><p>
     2<a class="indexterm" name="id2619527"></a>
     3<a class="indexterm" name="id2619534"></a>
     4<a class="indexterm" name="id2619541"></a>
     5<a class="indexterm" name="id2619548"></a>
     6<a class="indexterm" name="id2619555"></a>
     7<a class="indexterm" name="id2619562"></a>
     8<a class="indexterm" name="id2619569"></a>
     9<a class="indexterm" name="id2619576"></a>
     10<a class="indexterm" name="id2619582"></a>
    1111Samba-3 supports NT4-style domain trust relationships. This is a feature that many sites
    1212will want to use if they migrate to Samba-3 from an NT4-style domain and do not want to
     
    1616trusts.
    1717</p><p>
    18 <a class="indexterm" name="id2619547"></a>
    19 <a class="indexterm" name="id2619554"></a>
    20 <a class="indexterm" name="id2619560"></a>
    21 <a class="indexterm" name="id2619567"></a>
    22 <a class="indexterm" name="id2619574"></a>
     18<a class="indexterm" name="id2619600"></a>
     19<a class="indexterm" name="id2619607"></a>
     20<a class="indexterm" name="id2619614"></a>
     21<a class="indexterm" name="id2619620"></a>
     22<a class="indexterm" name="id2619627"></a>
    2323The use of interdomain trusts requires use of <code class="literal">winbind</code>, so the
    2424<code class="literal">winbindd</code> daemon must be running. Winbind operation in this mode is
    2525dependent on the specification of a valid UID range and a valid GID range in the <code class="filename">smb.conf</code> file.
    2626These are specified respectively using:
    27 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2619608"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2619620"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr></table><p>
    28 <a class="indexterm" name="id2619632"></a>
    29 <a class="indexterm" name="id2619638"></a>
    30 <a class="indexterm" name="id2619645"></a>
    31 <a class="indexterm" name="id2619652"></a>
     27</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2619661"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2619673"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr></table><p>
     28<a class="indexterm" name="id2619685"></a>
     29<a class="indexterm" name="id2619692"></a>
     30<a class="indexterm" name="id2619699"></a>
     31<a class="indexterm" name="id2619706"></a>
    3232The range of values specified must not overlap values used by the host operating system and must
    3333not overlap values used in the passdb backend for POSIX user accounts. The maximum value is
     
    3636(32-bit unsigned variable).
    3737</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
    38 <a class="indexterm" name="id2619670"></a>
    39 <a class="indexterm" name="id2619677"></a>
    40 <a class="indexterm" name="id2619684"></a>
     38<a class="indexterm" name="id2619723"></a>
     39<a class="indexterm" name="id2619730"></a>
     40<a class="indexterm" name="id2619737"></a>
    4141The use of winbind is necessary only when Samba is the trusting domain, not when it is the
    4242trusted domain.
    43 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2619694"></a>Features and Benefits</h2></div></div></div><p>
    44 <a class="indexterm" name="id2619702"></a>
    45 <a class="indexterm" name="id2619709"></a>
     43</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2619747"></a>Features and Benefits</h2></div></div></div><p>
     44<a class="indexterm" name="id2619755"></a>
     45<a class="indexterm" name="id2619762"></a>
    4646Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4-style
    4747trust relationships. This imparts to Samba scalability similar to that with MS Windows NT4.
    4848</p><p>
    49 <a class="indexterm" name="id2619722"></a>
    50 <a class="indexterm" name="id2619729"></a>
    51 <a class="indexterm" name="id2619736"></a>
    52 <a class="indexterm" name="id2619743"></a>
    53 <a class="indexterm" name="id2619750"></a>
     49<a class="indexterm" name="id2619775"></a>
     50<a class="indexterm" name="id2619782"></a>
     51<a class="indexterm" name="id2619789"></a>
     52<a class="indexterm" name="id2619796"></a>
     53<a class="indexterm" name="id2619803"></a>
    5454Given that Samba-3 can function with a scalable backend authentication database such as LDAP, and given its
    5555ability to run in primary as well as backup domain control modes, the administrator would be well-advised to
     
    5757function, this system is fragile.  That was, after all, a key reason for the development and adoption of
    5858Microsoft Active Directory.
    59 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2619766"></a>Trust Relationship Background</h2></div></div></div><p>
    60 <a class="indexterm" name="id2619774"></a>
    61 <a class="indexterm" name="id2619781"></a>
    62 <a class="indexterm" name="id2619788"></a>
    63 <a class="indexterm" name="id2619795"></a>
    64 <a class="indexterm" name="id2619802"></a>
    65 <a class="indexterm" name="id2619809"></a>
     59</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2619819"></a>Trust Relationship Background</h2></div></div></div><p>
     60<a class="indexterm" name="id2619827"></a>
     61<a class="indexterm" name="id2619834"></a>
     62<a class="indexterm" name="id2619841"></a>
     63<a class="indexterm" name="id2619848"></a>
     64<a class="indexterm" name="id2619855"></a>
     65<a class="indexterm" name="id2619862"></a>
    6666MS Windows NT3/4-type security domains employ a nonhierarchical security structure.
    6767The limitations of this architecture as it effects the scalability of MS Windows networking
     
    7070large and diverse organizations.
    7171</p><p>
    72 <a class="indexterm" name="id2619826"></a>
    73 <a class="indexterm" name="id2619832"></a>
    74 <a class="indexterm" name="id2619839"></a>
    75 <a class="indexterm" name="id2619846"></a>
    76 <a class="indexterm" name="id2619853"></a>
     72<a class="indexterm" name="id2619879"></a>
     73<a class="indexterm" name="id2619885"></a>
     74<a class="indexterm" name="id2619892"></a>
     75<a class="indexterm" name="id2619899"></a>
     76<a class="indexterm" name="id2619906"></a>
    7777Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means
    7878of circumventing the limitations of the older technologies. Not every organization is ready
     
    8181desire to go through a disruptive change to adopt ADS.
    8282</p><p>
    83 <a class="indexterm" name="id2619870"></a>
    84 <a class="indexterm" name="id2619877"></a>
    85 <a class="indexterm" name="id2619884"></a>
    86 <a class="indexterm" name="id2619891"></a>
    87 <a class="indexterm" name="id2619897"></a>
    88 <a class="indexterm" name="id2619904"></a>
    89 <a class="indexterm" name="id2619911"></a>
     83<a class="indexterm" name="id2619923"></a>
     84<a class="indexterm" name="id2619930"></a>
     85<a class="indexterm" name="id2619937"></a>
     86<a class="indexterm" name="id2619944"></a>
     87<a class="indexterm" name="id2619951"></a>
     88<a class="indexterm" name="id2619958"></a>
     89<a class="indexterm" name="id2619964"></a>
    9090With Windows NT, Microsoft introduced the ability to allow different security domains
    9191to effect a mechanism so users from one domain may be given access rights and privileges
     
    9898necessary to establish two relationships, one in each direction.
    9999</p><p>
    100 <a class="indexterm" name="id2619941"></a>
    101 <a class="indexterm" name="id2619948"></a>
    102 <a class="indexterm" name="id2619955"></a>
    103 <a class="indexterm" name="id2619962"></a>
    104 <a class="indexterm" name="id2619969"></a>
     100<a class="indexterm" name="id2620002"></a>
     101<a class="indexterm" name="id2620009"></a>
     102<a class="indexterm" name="id2620016"></a>
     103<a class="indexterm" name="id2620023"></a>
     104<a class="indexterm" name="id2620030"></a>
    105105Further, in an NT4-style MS security domain, all trusts are nontransitive. This means that if there are three
    106106domains (let's call them red, white, and blue), where red and white have a trust relationship, and white and
     
    108108Relationships are explicit and not transitive.
    109109</p><p>
    110 <a class="indexterm" name="id2619985"></a>
    111 <a class="indexterm" name="id2619992"></a>
    112 <a class="indexterm" name="id2619999"></a>
    113 <a class="indexterm" name="id2620006"></a>
    114 <a class="indexterm" name="id2620013"></a>
    115 <a class="indexterm" name="id2620020"></a>
    116 <a class="indexterm" name="id2620027"></a>
     110<a class="indexterm" name="id2620046"></a>
     111<a class="indexterm" name="id2620053"></a>
     112<a class="indexterm" name="id2620060"></a>
     113<a class="indexterm" name="id2620067"></a>
     114<a class="indexterm" name="id2620074"></a>
     115<a class="indexterm" name="id2620080"></a>
     116<a class="indexterm" name="id2620087"></a>
    117117New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way by default.
    118118Also, all inter-ADS domain trusts are transitive. In the case of the red, white, and blue domains, with
     
    120120domains. Samba-3 implements MS Windows NT4-style interdomain trusts and interoperates with MS Windows 200x ADS
    121121security domains in similar manner to MS Windows NT4-style domains.
    122 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2620044"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div></div><p>
    123 <a class="indexterm" name="id2620052"></a>
    124 <a class="indexterm" name="id2620061"></a>
    125 <a class="indexterm" name="id2620068"></a>
     122</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2620105"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div></div><p>
     123<a class="indexterm" name="id2620112"></a>
     124<a class="indexterm" name="id2620122"></a>
     125<a class="indexterm" name="id2620129"></a>
    126126There are two steps to creating an interdomain trust relationship. To effect a two-way trust
    127127relationship, it is necessary for each domain administrator to create a trust account for the
    128128other domain to use in verifying security credentials.
    129 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2620080"></a>Creating an NT4 Domain Trust</h3></div></div></div><p>
    130 <a class="indexterm" name="id2620088"></a>
    131 <a class="indexterm" name="id2620095"></a>
    132 <a class="indexterm" name="id2620102"></a>
    133 <a class="indexterm" name="id2620110"></a>
    134 <a class="indexterm" name="id2620116"></a>
     129</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2620141"></a>Creating an NT4 Domain Trust</h3></div></div></div><p>
     130<a class="indexterm" name="id2620149"></a>
     131<a class="indexterm" name="id2620156"></a>
     132<a class="indexterm" name="id2620163"></a>
     133<a class="indexterm" name="id2620170"></a>
     134<a class="indexterm" name="id2620177"></a>
    135135For MS Windows NT4, all domain trust relationships are configured using the
    136136<span class="application">Domain User Manager</span>. This is done from the Domain User Manager Policies
     
    143143trusting domain will use when authenticating users from the trusted domain.
    144144The password needs to be typed twice (for standard confirmation).
    145 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2620177"></a>Completing an NT4 Domain Trust</h3></div></div></div><p>
    146 <a class="indexterm" name="id2620185"></a>
    147 <a class="indexterm" name="id2620192"></a>
    148 <a class="indexterm" name="id2620199"></a>
    149 <a class="indexterm" name="id2620206"></a>
    150 <a class="indexterm" name="id2620213"></a>
    151 <a class="indexterm" name="id2620220"></a>
     145</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2620238"></a>Completing an NT4 Domain Trust</h3></div></div></div><p>
     146<a class="indexterm" name="id2620246"></a>
     147<a class="indexterm" name="id2620253"></a>
     148<a class="indexterm" name="id2620260"></a>
     149<a class="indexterm" name="id2620267"></a>
     150<a class="indexterm" name="id2620274"></a>
     151<a class="indexterm" name="id2620281"></a>
    152152A trust relationship will work only when the other (trusting) domain makes the appropriate connections
    153153with the trusted domain. To consummate the trust relationship, the administrator launches the
     
    156156next to the box that is labeled <span class="guilabel">Trusted Domains</span>. A panel opens in which
    157157must be entered the name of the remote domain as well as the password assigned to that trust.
    158 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2620262"></a>Interdomain Trust Facilities</h3></div></div></div><p>
    159 <a class="indexterm" name="id2620270"></a>
    160 <a class="indexterm" name="id2620277"></a>
    161 <a class="indexterm" name="id2620284"></a>
    162 <a class="indexterm" name="id2620291"></a>
    163 <a class="indexterm" name="id2620298"></a>
    164 <a class="indexterm" name="id2620305"></a>
     158</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2620323"></a>Interdomain Trust Facilities</h3></div></div></div><p>
     159<a class="indexterm" name="id2620331"></a>
     160<a class="indexterm" name="id2620338"></a>
     161<a class="indexterm" name="id2620345"></a>
     162<a class="indexterm" name="id2620352"></a>
     163<a class="indexterm" name="id2620359"></a>
     164<a class="indexterm" name="id2620366"></a>
    165165A two-way trust relationship is created when two one-way trusts are created, one in each direction.
    166166Where a one-way trust has been established between two MS Windows NT4 domains (let's call them
     
    202202        Global groups from the trusted domain can be made members in local groups on
    203203        MS Windows domain member machines.
    204         </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2620471"></a>Configuring Samba NT-Style Domain Trusts</h2></div></div></div><p>
    205 <a class="indexterm" name="id2620480"></a>
     204        </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2620532"></a>Configuring Samba NT-Style Domain Trusts</h2></div></div></div><p>
     205<a class="indexterm" name="id2620540"></a>
    206206This description is meant to be a fairly short introduction about how to set up a Samba server so
    207207that it can participate in interdomain trust relationships. Trust relationship support in Samba
    208208is at an early stage, so do not be surprised if something does not function as it should.
    209209</p><p>
    210 <a class="indexterm" name="id2620495"></a>
    211 <a class="indexterm" name="id2620502"></a>
    212 <a class="indexterm" name="id2620508"></a>
    213 <a class="indexterm" name="id2620515"></a>
     210<a class="indexterm" name="id2620556"></a>
     211<a class="indexterm" name="id2620562"></a>
     212<a class="indexterm" name="id2620569"></a>
     213<a class="indexterm" name="id2620576"></a>
    214214Each of the procedures described next assumes the peer domain in the trust relationship is controlled by a
    215215Windows NT4 server. However, the remote end could just as well be another Samba-3  domain. It can be clearly
     
    217217sections leads to trust between domains in a purely Samba environment.
    218218</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="samba-trusted-domain"></a>Samba as the Trusted Domain</h3></div></div></div><p>
    219 <a class="indexterm" name="id2620543"></a>
    220 <a class="indexterm" name="id2620550"></a>
    221 <a class="indexterm" name="id2620556"></a>
    222 <a class="indexterm" name="id2620563"></a>
    223 <a class="indexterm" name="id2620570"></a>
     219<a class="indexterm" name="id2620603"></a>
     220<a class="indexterm" name="id2620610"></a>
     221<a class="indexterm" name="id2620617"></a>
     222<a class="indexterm" name="id2620624"></a>
     223<a class="indexterm" name="id2620631"></a>
    224224In order to set the Samba PDC to be the trusted party of the relationship, you first need
    225225to create a special account for the domain that will be the trusting party. To do that,
     
    240240account with the Interdomain trust flag</span>&#8221;.
    241241</p><p>
    242 <a class="indexterm" name="id2620640"></a>
    243 <a class="indexterm" name="id2620646"></a>
    244 <a class="indexterm" name="id2620653"></a>
    245 <a class="indexterm" name="id2620660"></a>
     242<a class="indexterm" name="id2620700"></a>
     243<a class="indexterm" name="id2620707"></a>
     244<a class="indexterm" name="id2620714"></a>
     245<a class="indexterm" name="id2620721"></a>
    246246The account name will be &#8220;<span class="quote">rumba$</span>&#8221; (the name of the remote domain).
    247247If this fails, you should check that the trust account has been added to the system
     
    249249can add it manually and then repeat the previous step.
    250250</p><p>
    251 <a class="indexterm" name="id2620684"></a>
    252 <a class="indexterm" name="id2620691"></a>
    253 <a class="indexterm" name="id2620698"></a>
    254 <a class="indexterm" name="id2620705"></a>
     251<a class="indexterm" name="id2620745"></a>
     252<a class="indexterm" name="id2620752"></a>
     253<a class="indexterm" name="id2620758"></a>
     254<a class="indexterm" name="id2620765"></a>
    255255After issuing this command, you will be asked to enter the password for the account. You can use any password
    256256you want, but be aware that Windows NT will not change this password until 7 days following account creation.
     
    260260Windows NT Server.
    261261</p><p>
    262 <a class="indexterm" name="id2620734"></a>
    263 <a class="indexterm" name="id2620741"></a>
    264 <a class="indexterm" name="id2620748"></a>
    265 <a class="indexterm" name="id2620755"></a>
    266 <a class="indexterm" name="id2620762"></a>
     262<a class="indexterm" name="id2620788"></a>
     263<a class="indexterm" name="id2620795"></a>
     264<a class="indexterm" name="id2620802"></a>
     265<a class="indexterm" name="id2620809"></a>
     266<a class="indexterm" name="id2620816"></a>
    267267Open <span class="application">User Manager for Domains</span> and from the <span class="guimenu">Policies</span> menu, select
    268268<span class="guimenuitem">Trust Relationships...</span>.  Beside the <span class="guilabel">Trusted domains</span> list box,
     
    271271time of account creation.  Click on <span class="guibutton">OK</span> and, if everything went without incident, you
    272272will see the <code class="computeroutput">Trusted domain relationship successfully established</code> message.
    273 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2620820"></a>Samba as the Trusting Domain</h3></div></div></div><p>
    274 <a class="indexterm" name="id2620828"></a>
    275 <a class="indexterm" name="id2620835"></a>
     273</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2620873"></a>Samba as the Trusting Domain</h3></div></div></div><p>
     274<a class="indexterm" name="id2620881"></a>
     275<a class="indexterm" name="id2620888"></a>
    276276This time activities are somewhat reversed. Again, we'll assume that your domain
    277277controlled by the Samba PDC is called SAMBA and the NT-controlled domain is called RUMBA.
     
    279279The very first step is to add an account for the SAMBA domain on RUMBA's PDC.
    280280</p><p>
    281 <a class="indexterm" name="id2620852"></a>
    282 <a class="indexterm" name="id2620859"></a>
    283 <a class="indexterm" name="id2620866"></a>
     281<a class="indexterm" name="id2620906"></a>
     282<a class="indexterm" name="id2620913"></a>
     283<a class="indexterm" name="id2620920"></a>
    284284Launch the <span class="application">Domain User Manager</span>, then from the menu select
    285285<span class="guimenu">Policies</span>, <span class="guimenuitem">Trust Relationships</span>.
     
    288288the relationship.
    289289</p><p>
    290 <a class="indexterm" name="id2620909"></a>
    291 <a class="indexterm" name="id2620916"></a>
     290<a class="indexterm" name="id2620962"></a>
     291<a class="indexterm" name="id2620969"></a>
    292292The password can be arbitrarily chosen. It is easy to change the password from the Samba server whenever you
    293293want. After you confirm the password, your account is ready for use. Now its Samba's turn.
    294294</p><p>
    295295Using your favorite shell while logged in as root, issue this command:
    296 <a class="indexterm" name="id2620931"></a>
     296<a class="indexterm" name="id2620984"></a>
    297297</p><p>
    298298<code class="prompt">root# </code><strong class="userinput"><code>net rpc trustdom establish rumba</code></strong>
    299299</p><p>
    300 <a class="indexterm" name="id2620959"></a>
    301 <a class="indexterm" name="id2620966"></a>
    302 <a class="indexterm" name="id2620973"></a>
     300<a class="indexterm" name="id2621013"></a>
     301<a class="indexterm" name="id2621020"></a>
     302<a class="indexterm" name="id2621027"></a>
    303303You will be prompted for the password you just typed on your Windows NT4 Server box.
    304304An error message, <code class="literal">"NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT,"</code>
     
    312312You have to run this command as root because you must have write access to
    313313the <code class="filename">secrets.tdb</code> file.
    314 </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2621016"></a>NT4-Style Domain Trusts with Windows 2000</h2></div></div></div><p>
    315 <a class="indexterm" name="id2621024"></a>
    316 <a class="indexterm" name="id2621031"></a>
    317 <a class="indexterm" name="id2621038"></a>
    318 <a class="indexterm" name="id2621045"></a>
     314</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2621070"></a>NT4-Style Domain Trusts with Windows 2000</h2></div></div></div><p>
     315<a class="indexterm" name="id2621078"></a>
     316<a class="indexterm" name="id2621085"></a>
     317<a class="indexterm" name="id2621092"></a>
     318<a class="indexterm" name="id2621099"></a>
    319319Although <span class="application">Domain User Manager</span> is not present in Windows 2000, it is
    320320also possible to establish an NT4-style trust relationship with a Windows 2000 domain
     
    322322Samba to trust a Windows 2000 server; however, more testing is still needed in this area.
    323323</p><p>
    324 <a class="indexterm" name="id2621066"></a>
    325 <a class="indexterm" name="id2621073"></a>
    326 <a class="indexterm" name="id2621080"></a>
    327 <a class="indexterm" name="id2621087"></a>
     324<a class="indexterm" name="id2621120"></a>
     325<a class="indexterm" name="id2621127"></a>
     326<a class="indexterm" name="id2621134"></a>
     327<a class="indexterm" name="id2621141"></a>
    328328After <a class="link" href="InterdomainTrusts.html#samba-trusted-domain" title="Samba as the Trusted Domain">creating the interdomain trust account on the Samba server</a>
    329329as described previously, open <span class="application">Active Directory Domains and Trusts</span> on the AD
     
    339339<code class="computeroutput">The trusted domain has been added and the trust has been verified.</code> Your
    340340Samba users can now be granted access to resources in the AD domain.
    341 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2621165"></a>Common Errors</h2></div></div></div><p>
     341</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2621219"></a>Common Errors</h2></div></div></div><p>
    342342Interdomain trust relationships should not be attempted on networks that are unstable
    343343or that suffer regular outages. Network stability and integrity are key concerns with
    344344distributed trusted domains.
    345 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2621178"></a>Browsing of Trusted Domain Fails</h3></div></div></div><p>
     345</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2621231"></a>Browsing of Trusted Domain Fails</h3></div></div></div><p>
    346346<span class="emphasis"><em>Browsing from a machine in a trusted Windows 200x domain to a Windows 200x member of
    347347a trusting Samba domain, I get the following error:</em></span>
     
    361361the domain.  If you are running as an account that has privileges to do this
    362362when you unjoin the machine, it is done; otherwise it is not done.
    363 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2621224"></a>Problems with LDAP ldapsam and Older Versions of smbldap-tools</h3></div></div></div><p>
     363</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2621277"></a>Problems with LDAP ldapsam and Older Versions of smbldap-tools</h3></div></div></div><p>
    364364If you use the <code class="literal">smbldap-useradd</code> script to create a trust
    365365account to set up interdomain trusts, the process of setting up the trust will
Note: See TracChangeset for help on using the changeset viewer.