Context Navigation

← Previous Change
Next Change →

InterdomainTrusts.html

Timestamp:

Mar 1, 2010, 3:05:48 PM (15 years ago)

Author:

Herwig Bauernfeind

Message:

Update Samba 3.3.x to 3.3.11

File:

: 1 edited

branches/samba-3.3.x/docs/htmldocs/Samba3-HOWTO/InterdomainTrusts.html (modified) (19 diffs)

Legend:

: Unmodified
: Added
: Removed

branches/samba-3.3.x/docs/htmldocs/Samba3-HOWTO/InterdomainTrusts.html

-              r368
+              r411
 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 19. Interdomain Trust Relationships</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.3.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="securing-samba.html" title="Chapter 18. Securing Samba"><link rel="next" href="msdfs.html" title="Chapter 20. Hosting a Microsoft Distributed File System Tree"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 19. Interdomain Trust Relationships</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 19. Interdomain Trust Relationships"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 19. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mimir@samba.org">mimir@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="InterdomainTrusts.html#id2625845">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id2625917">Trust Relationship Background</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id2626202">Native MS Windows NT4 Trusts Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id2626238">Creating an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id2626335">Completing an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id2626421">Interdomain Trust Facilities</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id2626630">Configuring Samba NT-Style Domain Trusts</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id2626971">Samba as the Trusting Domain</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id2627167">NT4-Style Domain Trusts with Windows 2000</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id2627316">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id2627329">Browsing of Trusted Domain Fails</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id2627375">Problems with LDAP ldapsam and Older Versions of smbldap-tools</a></span></dt></dl></dd></dl></div><p>
 <a class="indexterm" name="id2625625"></a>
 <a class="indexterm" name="id2625632"></a>
 <a class="indexterm" name="id2625638"></a>
 <a class="indexterm" name="id2625645"></a>
 <a class="indexterm" name="id2625652"></a>
 <a class="indexterm" name="id2625659"></a>
 <a class="indexterm" name="id2625666"></a>
 <a class="indexterm" name="id2625673"></a>
 <a class="indexterm" name="id2625680"></a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 19. Interdomain Trust Relationships</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.3.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="securing-samba.html" title="Chapter 18. Securing Samba"><link rel="next" href="msdfs.html" title="Chapter 20. Hosting a Microsoft Distributed File System Tree"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 19. Interdomain Trust Relationships</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 19. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="orgname">Samba Team</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mimir@samba.org">mimir@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="orgname">The Samba Team</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="InterdomainTrusts.html#id2619759">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id2619831">Trust Relationship Background</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id2620117">Native MS Windows NT4 Trusts Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id2620153">Creating an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id2620250">Completing an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id2620335">Interdomain Trust Facilities</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id2620544">Configuring Samba NT-Style Domain Trusts</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id2620885">Samba as the Trusting Domain</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id2621081">NT4-Style Domain Trusts with Windows 2000</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id2621231">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id2621243">Browsing of Trusted Domain Fails</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id2621289">Problems with LDAP ldapsam and Older Versions of smbldap-tools</a></span></dt></dl></dd></dl></div><p>
+<a class="indexterm" name="id2619539"></a>
+<a class="indexterm" name="id2619546"></a>
+<a class="indexterm" name="id2619553"></a>
+<a class="indexterm" name="id2619560"></a>
+<a class="indexterm" name="id2619567"></a>
+<a class="indexterm" name="id2619574"></a>
+<a class="indexterm" name="id2619580"></a>
+<a class="indexterm" name="id2619587"></a>
+<a class="indexterm" name="id2619594"></a>
 Samba-3 supports NT4-style domain trust relationships. This is a feature that many sites
 will want to use if they migrate to Samba-3 from an NT4-style domain and do not want to
 …
 trusts.
 </p><p>
 <a class="indexterm" name="id2625697"></a>
 <a class="indexterm" name="id2625704"></a>
 <a class="indexterm" name="id2625711"></a>
 <a class="indexterm" name="id2625718"></a>
 <a class="indexterm" name="id2625725"></a>
+<a class="indexterm" name="id2619612"></a>
+<a class="indexterm" name="id2619618"></a>
+<a class="indexterm" name="id2619625"></a>
+<a class="indexterm" name="id2619632"></a>
+<a class="indexterm" name="id2619639"></a>
 The use of interdomain trusts requires use of <code class="literal">winbind</code>, so the
 <code class="literal">winbindd</code> daemon must be running. Winbind operation in this mode is
 dependent on the specification of a valid UID range and a valid GID range in the <code class="filename">smb.conf</code> file.
 These are specified respectively using:
 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id2625759"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2625770"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr></table><p>
 <a class="indexterm" name="id2625782"></a>
 <a class="indexterm" name="id2625789"></a>
 <a class="indexterm" name="id2625796"></a>
 <a class="indexterm" name="id2625803"></a>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2619673"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2619685"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr></table><p>
+<a class="indexterm" name="id2619696"></a>
+<a class="indexterm" name="id2619703"></a>
+<a class="indexterm" name="id2619710"></a>
+<a class="indexterm" name="id2619717"></a>
 The range of values specified must not overlap values used by the host operating system and must
 not overlap values used in the passdb backend for POSIX user accounts. The maximum value is
 …
 limited parameter. Linux kernel 2.6-based systems support a maximum value of 4294967295
 (32-bit unsigned variable).
 </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
 <a class="indexterm" name="id2625821"></a>
 <a class="indexterm" name="id2625828"></a>
 <a class="indexterm" name="id2625835"></a>
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+<a class="indexterm" name="id2619735"></a>
+<a class="indexterm" name="id2619742"></a>
+<a class="indexterm" name="id2619749"></a>
 The use of winbind is necessary only when Samba is the trusting domain, not when it is the
 trusted domain.
 </p></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2625845"></a>Features and Benefits</h2></div></div></div><p>
 <a class="indexterm" name="id2625853"></a>
 <a class="indexterm" name="id2625859"></a>
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2619759"></a>Features and Benefits</h2></div></div></div><p>
+<a class="indexterm" name="id2619767"></a>
+<a class="indexterm" name="id2619774"></a>
 Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4-style
 trust relationships. This imparts to Samba scalability similar to that with MS Windows NT4.
 </p><p>
 <a class="indexterm" name="id2625873"></a>
 <a class="indexterm" name="id2625880"></a>
 <a class="indexterm" name="id2625887"></a>
 <a class="indexterm" name="id2625893"></a>
 <a class="indexterm" name="id2625900"></a>
+<a class="indexterm" name="id2619787"></a>
+<a class="indexterm" name="id2619794"></a>
+<a class="indexterm" name="id2619801"></a>
+<a class="indexterm" name="id2619808"></a>
+<a class="indexterm" name="id2619815"></a>
 Given that Samba-3 can function with a scalable backend authentication database such as LDAP, and given its
 ability to run in primary as well as backup domain control modes, the administrator would be well-advised to
 …
 function, this system is fragile.  That was, after all, a key reason for the development and adoption of
 Microsoft Active Directory.
 </p></div><div class="sect1" title="Trust Relationship Background"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2625917"></a>Trust Relationship Background</h2></div></div></div><p>
 <a class="indexterm" name="id2625925"></a>
 <a class="indexterm" name="id2625932"></a>
 <a class="indexterm" name="id2625939"></a>
 <a class="indexterm" name="id2625946"></a>
 <a class="indexterm" name="id2625953"></a>
 <a class="indexterm" name="id2625959"></a>
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2619831"></a>Trust Relationship Background</h2></div></div></div><p>
+<a class="indexterm" name="id2619839"></a>
+<a class="indexterm" name="id2619846"></a>
+<a class="indexterm" name="id2619853"></a>
+<a class="indexterm" name="id2619860"></a>
+<a class="indexterm" name="id2619867"></a>
+<a class="indexterm" name="id2619874"></a>
 MS Windows NT3/4-type security domains employ a nonhierarchical security structure.
 The limitations of this architecture as it effects the scalability of MS Windows networking
 …
 large and diverse organizations.
 </p><p>
 <a class="indexterm" name="id2625976"></a>
 <a class="indexterm" name="id2625983"></a>
 <a class="indexterm" name="id2625990"></a>
 <a class="indexterm" name="id2625996"></a>
 <a class="indexterm" name="id2626003"></a>
+<a class="indexterm" name="id2619891"></a>
+<a class="indexterm" name="id2619897"></a>
+<a class="indexterm" name="id2619904"></a>
+<a class="indexterm" name="id2619911"></a>
+<a class="indexterm" name="id2619918"></a>
 Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means
 of circumventing the limitations of the older technologies. Not every organization is ready
 …
 desire to go through a disruptive change to adopt ADS.
 </p><p>
 <a class="indexterm" name="id2626021"></a>
 <a class="indexterm" name="id2626028"></a>
 <a class="indexterm" name="id2626034"></a>
 <a class="indexterm" name="id2626041"></a>
 <a class="indexterm" name="id2626048"></a>
 <a class="indexterm" name="id2626055"></a>
 <a class="indexterm" name="id2626062"></a>
+<a class="indexterm" name="id2619935"></a>
+<a class="indexterm" name="id2619942"></a>
+<a class="indexterm" name="id2619949"></a>
+<a class="indexterm" name="id2619956"></a>
+<a class="indexterm" name="id2619962"></a>
+<a class="indexterm" name="id2619969"></a>
+<a class="indexterm" name="id2619976"></a>
 With Windows NT, Microsoft introduced the ability to allow different security domains
 to effect a mechanism so users from one domain may be given access rights and privileges
 …
 necessary to establish two relationships, one in each direction.
 </p><p>
 <a class="indexterm" name="id2626100"></a>
 <a class="indexterm" name="id2626106"></a>
 <a class="indexterm" name="id2626113"></a>
 <a class="indexterm" name="id2626120"></a>
 <a class="indexterm" name="id2626127"></a>
+<a class="indexterm" name="id2620014"></a>
+<a class="indexterm" name="id2620021"></a>
+<a class="indexterm" name="id2620028"></a>
+<a class="indexterm" name="id2620035"></a>
+<a class="indexterm" name="id2620041"></a>
 Further, in an NT4-style MS security domain, all trusts are nontransitive. This means that if there are three
 domains (let's call them red, white, and blue), where red and white have a trust relationship, and white and
 …
 Relationships are explicit and not transitive.
 </p><p>
 <a class="indexterm" name="id2626144"></a>
 <a class="indexterm" name="id2626150"></a>
 <a class="indexterm" name="id2626157"></a>
 <a class="indexterm" name="id2626164"></a>
 <a class="indexterm" name="id2626171"></a>
 <a class="indexterm" name="id2626178"></a>
 <a class="indexterm" name="id2626185"></a>
+<a class="indexterm" name="id2620058"></a>
+<a class="indexterm" name="id2620064"></a>
+<a class="indexterm" name="id2620071"></a>
+<a class="indexterm" name="id2620078"></a>
+<a class="indexterm" name="id2620085"></a>
+<a class="indexterm" name="id2620092"></a>
+<a class="indexterm" name="id2620099"></a>
 New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way by default.
 Also, all inter-ADS domain trusts are transitive. In the case of the red, white, and blue domains, with
 …
 domains. Samba-3 implements MS Windows NT4-style interdomain trusts and interoperates with MS Windows 200x ADS
 security domains in similar manner to MS Windows NT4-style domains.
 </p></div><div class="sect1" title="Native MS Windows NT4 Trusts Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2626202"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div></div><p>
 <a class="indexterm" name="id2626210"></a>
 <a class="indexterm" name="id2626219"></a>
 <a class="indexterm" name="id2626226"></a>
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2620117"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div></div><p>
+<a class="indexterm" name="id2620124"></a>
+<a class="indexterm" name="id2620133"></a>
+<a class="indexterm" name="id2620140"></a>
 There are two steps to creating an interdomain trust relationship. To effect a two-way trust
 relationship, it is necessary for each domain administrator to create a trust account for the
 other domain to use in verifying security credentials.
 </p><div class="sect2" title="Creating an NT4 Domain Trust"><div class="titlepage"><div><div><h3 class="title"><a name="id2626238"></a>Creating an NT4 Domain Trust</h3></div></div></div><p>
 <a class="indexterm" name="id2626247"></a>
 <a class="indexterm" name="id2626254"></a>
 <a class="indexterm" name="id2626260"></a>
 <a class="indexterm" name="id2626268"></a>
 <a class="indexterm" name="id2626275"></a>
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2620153"></a>Creating an NT4 Domain Trust</h3></div></div></div><p>
+<a class="indexterm" name="id2620161"></a>
+<a class="indexterm" name="id2620168"></a>
+<a class="indexterm" name="id2620175"></a>
+<a class="indexterm" name="id2620182"></a>
+<a class="indexterm" name="id2620189"></a>
 For MS Windows NT4, all domain trust relationships are configured using the
 <span class="application">Domain User Manager</span>. This is done from the Domain User Manager Policies
 …
 trusting domain will use when authenticating users from the trusted domain.
 The password needs to be typed twice (for standard confirmation).
 </p></div><div class="sect2" title="Completing an NT4 Domain Trust"><div class="titlepage"><div><div><h3 class="title"><a name="id2626335"></a>Completing an NT4 Domain Trust</h3></div></div></div><p>
 <a class="indexterm" name="id2626344"></a>
 <a class="indexterm" name="id2626350"></a>
 <a class="indexterm" name="id2626357"></a>
 <a class="indexterm" name="id2626364"></a>
 <a class="indexterm" name="id2626371"></a>
 <a class="indexterm" name="id2626378"></a>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2620250"></a>Completing an NT4 Domain Trust</h3></div></div></div><p>
+<a class="indexterm" name="id2620258"></a>
+<a class="indexterm" name="id2620265"></a>
+<a class="indexterm" name="id2620272"></a>
+<a class="indexterm" name="id2620279"></a>
+<a class="indexterm" name="id2620286"></a>
+<a class="indexterm" name="id2620292"></a>
 A trust relationship will work only when the other (trusting) domain makes the appropriate connections
 with the trusted domain. To consummate the trust relationship, the administrator launches the
 …
 next to the box that is labeled <span class="guilabel">Trusted Domains</span>. A panel opens in which
 must be entered the name of the remote domain as well as the password assigned to that trust.
 </p></div><div class="sect2" title="Interdomain Trust Facilities"><div class="titlepage"><div><div><h3 class="title"><a name="id2626421"></a>Interdomain Trust Facilities</h3></div></div></div><p>
 <a class="indexterm" name="id2626429"></a>
 <a class="indexterm" name="id2626436"></a>
 <a class="indexterm" name="id2626443"></a>
 <a class="indexterm" name="id2626450"></a>
 <a class="indexterm" name="id2626456"></a>
 <a class="indexterm" name="id2626463"></a>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2620335"></a>Interdomain Trust Facilities</h3></div></div></div><p>
+<a class="indexterm" name="id2620343"></a>
+<a class="indexterm" name="id2620350"></a>
+<a class="indexterm" name="id2620357"></a>
+<a class="indexterm" name="id2620364"></a>
+<a class="indexterm" name="id2620371"></a>
+<a class="indexterm" name="id2620378"></a>
 A two-way trust relationship is created when two one-way trusts are created, one in each direction.
 Where a one-way trust has been established between two MS Windows NT4 domains (let's call them
 DomA and DomB), the following facilities are created:
 </p><div class="figure"><a name="trusts1"></a><p class="title"><b>Figure 19.1. Trusts overview.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/trusts1.png" alt="Trusts overview."></div></div></div><br class="figure-break"><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
+</p><div class="figure"><a name="trusts1"></a><p class="title"><b>Figure 19.1. Trusts overview.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/trusts1.png" alt="Trusts overview."></div></div></div><br class="figure-break"><div class="itemizedlist"><ul type="disc"><li><p>
         DomA (completes the trust connection) <em class="parameter"><code>Trusts</code></em> DomB.
         </p></li><li class="listitem"><p>
+        </p></li><li><p>
         DomA is the <em class="parameter"><code>Trusting</code></em> domain.
         </p></li><li class="listitem"><p>
+        </p></li><li><p>
         DomB is the <em class="parameter"><code>Trusted</code></em> domain (originates the trust account).
         </p></li><li class="listitem"><p>
+        </p></li><li><p>
         Users in DomB can access resources in DomA.
         </p></li><li class="listitem"><p>
+        </p></li><li><p>
         Users in DomA cannot access resources in DomB.
         </p></li><li class="listitem"><p>
+        </p></li><li><p>
         Global groups from DomB can be used in DomA.
         </p></li><li class="listitem"><p>
+        </p></li><li><p>
         Global groups from DomA cannot be used in DomB.
         </p></li><li class="listitem"><p>
+        </p></li><li><p>
         DomB does appear in the logon dialog box on client workstations in DomA.
         </p></li><li class="listitem"><p>
+        </p></li><li><p>
         DomA does not appear in the logon dialog box on client workstations in DomB.
         </p></li></ul></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
+        </p></li></ul></div><div class="itemizedlist"><ul type="disc"><li><p>
         Users and groups in a trusting domain cannot be granted rights, permissions, or access
         to a trusted domain.
         </p></li><li class="listitem"><p>
+        </p></li><li><p>
         The trusting domain can access and use accounts (users/global groups) in the
         trusted domain.
         </p></li><li class="listitem"><p>
+        </p></li><li><p>
         Administrators of the trusted domain can be granted administrative rights in the
         trusting domain.
         </p></li><li class="listitem"><p>
+        </p></li><li><p>
         Users in a trusted domain can be given rights and privileges in the trusting
         domain.
         </p></li><li class="listitem"><p>
+        </p></li><li><p>
         Trusted domain global groups can be given rights and permissions in the trusting
         domain.
         </p></li><li class="listitem"><p>
+        </p></li><li><p>
         Global groups from the trusted domain can be made members in local groups on
         MS Windows domain member machines.
         </p></li></ul></div></div></div><div class="sect1" title="Configuring Samba NT-Style Domain Trusts"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2626630"></a>Configuring Samba NT-Style Domain Trusts</h2></div></div></div><p>
 <a class="indexterm" name="id2626638"></a>
+        </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2620544"></a>Configuring Samba NT-Style Domain Trusts</h2></div></div></div><p>
+<a class="indexterm" name="id2620552"></a>
 This description is meant to be a fairly short introduction about how to set up a Samba server so
 that it can participate in interdomain trust relationships. Trust relationship support in Samba
 is at an early stage, so do not be surprised if something does not function as it should.
 </p><p>
 <a class="indexterm" name="id2626653"></a>
 <a class="indexterm" name="id2626660"></a>
 <a class="indexterm" name="id2626667"></a>
 <a class="indexterm" name="id2626674"></a>
+<a class="indexterm" name="id2620567"></a>
+<a class="indexterm" name="id2620574"></a>
+<a class="indexterm" name="id2620581"></a>
+<a class="indexterm" name="id2620588"></a>
 Each of the procedures described next assumes the peer domain in the trust relationship is controlled by a
 Windows NT4 server. However, the remote end could just as well be another Samba-3  domain. It can be clearly
 seen, after reading this document, that combining Samba-specific parts of what's written in the following
 sections leads to trust between domains in a purely Samba environment.
 </p><div class="sect2" title="Samba as the Trusted Domain"><div class="titlepage"><div><div><h3 class="title"><a name="samba-trusted-domain"></a>Samba as the Trusted Domain</h3></div></div></div><p>
 <a class="indexterm" name="id2626701"></a>
 <a class="indexterm" name="id2626708"></a>
 <a class="indexterm" name="id2626715"></a>
 <a class="indexterm" name="id2626722"></a>
 <a class="indexterm" name="id2626728"></a>
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="samba-trusted-domain"></a>Samba as the Trusted Domain</h3></div></div></div><p>
+<a class="indexterm" name="id2620615"></a>
+<a class="indexterm" name="id2620622"></a>
+<a class="indexterm" name="id2620629"></a>
+<a class="indexterm" name="id2620636"></a>
+<a class="indexterm" name="id2620642"></a>
 In order to set the Samba PDC to be the trusted party of the relationship, you first need
 to create a special account for the domain that will be the trusting party. To do that,
 …
 where <code class="option">-a</code> means to add a new account into the
 passdb database and <code class="option">-i</code> means to <span class="quote">&#8220;<span class="quote">create this
 account with the Interdomain trust flag</span>&#8221;</span>.
 </p><p>
 <a class="indexterm" name="id2626798"></a>
 <a class="indexterm" name="id2626805"></a>
 <a class="indexterm" name="id2626812"></a>
 <a class="indexterm" name="id2626819"></a>
 The account name will be <span class="quote">&#8220;<span class="quote">rumba$</span>&#8221;</span> (the name of the remote domain).
+passdb database and <code class="option">-i</code> means to &#8220;<span class="quote">create this
+account with the Interdomain trust flag</span>&#8221;.
+</p><p>
+<a class="indexterm" name="id2620712"></a>
+<a class="indexterm" name="id2620719"></a>
+<a class="indexterm" name="id2620726"></a>
+<a class="indexterm" name="id2620733"></a>
+The account name will be &#8220;<span class="quote">rumba$</span>&#8221; (the name of the remote domain).
 If this fails, you should check that the trust account has been added to the system
 password database (<code class="filename">/etc/passwd</code>). If it has not been added, you
 can add it manually and then repeat the previous step.
 </p><p>
 <a class="indexterm" name="id2626842"></a>
 <a class="indexterm" name="id2626849"></a>
 <a class="indexterm" name="id2626856"></a>
 <a class="indexterm" name="id2626863"></a>
+<a class="indexterm" name="id2620757"></a>
+<a class="indexterm" name="id2620763"></a>
+<a class="indexterm" name="id2620770"></a>
+<a class="indexterm" name="id2620777"></a>
 After issuing this command, you will be asked to enter the password for the account. You can use any password
 you want, but be aware that Windows NT will not change this password until 7 days following account creation.
 After the command returns successfully, you can look at the entry for the new account (in the standard way as
 appropriate for your configuration) and see that the account's name is really RUMBA$ and it has the
 <span class="quote">&#8220;<span class="quote">I</span>&#8221;</span> flag set in the flags field. Now you are ready to confirm the trust by establishing it from
+&#8220;<span class="quote">I</span>&#8221; flag set in the flags field. Now you are ready to confirm the trust by establishing it from
 Windows NT Server.
 </p><p>
 <a class="indexterm" name="id2626886"></a>
 <a class="indexterm" name="id2626892"></a>
 <a class="indexterm" name="id2626899"></a>
 <a class="indexterm" name="id2626906"></a>
 <a class="indexterm" name="id2626913"></a>
+<a class="indexterm" name="id2620800"></a>
+<a class="indexterm" name="id2620807"></a>
+<a class="indexterm" name="id2620814"></a>
+<a class="indexterm" name="id2620821"></a>
+<a class="indexterm" name="id2620828"></a>
 Open <span class="application">User Manager for Domains</span> and from the <span class="guimenu">Policies</span> menu, select
 <span class="guimenuitem">Trust Relationships...</span>.  Beside the <span class="guilabel">Trusted domains</span> list box,
 …
 time of account creation.  Click on <span class="guibutton">OK</span> and, if everything went without incident, you
 will see the <code class="computeroutput">Trusted domain relationship successfully established</code> message.
 </p></div><div class="sect2" title="Samba as the Trusting Domain"><div class="titlepage"><div><div><h3 class="title"><a name="id2626971"></a>Samba as the Trusting Domain</h3></div></div></div><p>
 <a class="indexterm" name="id2626979"></a>
 <a class="indexterm" name="id2626986"></a>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2620885"></a>Samba as the Trusting Domain</h3></div></div></div><p>
+<a class="indexterm" name="id2620893"></a>
+<a class="indexterm" name="id2620900"></a>
 This time activities are somewhat reversed. Again, we'll assume that your domain
 controlled by the Samba PDC is called SAMBA and the NT-controlled domain is called RUMBA.
 …
 The very first step is to add an account for the SAMBA domain on RUMBA's PDC.
 </p><p>
 <a class="indexterm" name="id2627003"></a>
 <a class="indexterm" name="id2627010"></a>
 <a class="indexterm" name="id2627017"></a>
+<a class="indexterm" name="id2620918"></a>
+<a class="indexterm" name="id2620925"></a>
+<a class="indexterm" name="id2620932"></a>
 Launch the <span class="application">Domain User Manager</span>, then from the menu select
 <span class="guimenu">Policies</span>, <span class="guimenuitem">Trust Relationships</span>.
 …
 the relationship.
 </p><p>
 <a class="indexterm" name="id2627060"></a>
 <a class="indexterm" name="id2627067"></a>
+<a class="indexterm" name="id2620974"></a>
+<a class="indexterm" name="id2620981"></a>
 The password can be arbitrarily chosen. It is easy to change the password from the Samba server whenever you
 want. After you confirm the password, your account is ready for use. Now its Samba's turn.
 </p><p>
 Using your favorite shell while logged in as root, issue this command:
 <a class="indexterm" name="id2627082"></a>
+<a class="indexterm" name="id2620996"></a>
 </p><p>
 <code class="prompt">root# </code><strong class="userinput"><code>net rpc trustdom establish rumba</code></strong>
 </p><p>
 <a class="indexterm" name="id2627110"></a>
 <a class="indexterm" name="id2627117"></a>
 <a class="indexterm" name="id2627124"></a>
+<a class="indexterm" name="id2621024"></a>
+<a class="indexterm" name="id2621031"></a>
+<a class="indexterm" name="id2621038"></a>
 You will be prompted for the password you just typed on your Windows NT4 Server box.
 An error message, <code class="literal">"NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT,"</code>
 …
 the <code class="literal">Success</code> message. Congratulations! Your trust
 relationship has just been established.
 </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
 You have to run this command as root because you must have write access to
 the <code class="filename">secrets.tdb</code> file.
 </p></div></div></div><div class="sect1" title="NT4-Style Domain Trusts with Windows 2000"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2627167"></a>NT4-Style Domain Trusts with Windows 2000</h2></div></div></div><p>
 <a class="indexterm" name="id2627175"></a>
 <a class="indexterm" name="id2627182"></a>
 <a class="indexterm" name="id2627189"></a>
 <a class="indexterm" name="id2627196"></a>
+</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2621081"></a>NT4-Style Domain Trusts with Windows 2000</h2></div></div></div><p>
+<a class="indexterm" name="id2621090"></a>
+<a class="indexterm" name="id2621097"></a>
+<a class="indexterm" name="id2621104"></a>
+<a class="indexterm" name="id2621110"></a>
 Although <span class="application">Domain User Manager</span> is not present in Windows 2000, it is
 also possible to establish an NT4-style trust relationship with a Windows 2000 domain
 …
 Samba to trust a Windows 2000 server; however, more testing is still needed in this area.
 </p><p>
 <a class="indexterm" name="id2627217"></a>
 <a class="indexterm" name="id2627224"></a>
 <a class="indexterm" name="id2627231"></a>
 <a class="indexterm" name="id2627238"></a>
+<a class="indexterm" name="id2621132"></a>
+<a class="indexterm" name="id2621139"></a>
+<a class="indexterm" name="id2621146"></a>
+<a class="indexterm" name="id2621152"></a>
 After <a class="link" href="InterdomainTrusts.html#samba-trusted-domain" title="Samba as the Trusted Domain">creating the interdomain trust account on the Samba server</a>
 as described previously, open <span class="application">Active Directory Domains and Trusts</span> on the AD
 …
 <code class="computeroutput">The trusted domain has been added and the trust has been verified.</code> Your
 Samba users can now be granted access to resources in the AD domain.
 </p></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2627316"></a>Common Errors</h2></div></div></div><p>
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2621231"></a>Common Errors</h2></div></div></div><p>
 Interdomain trust relationships should not be attempted on networks that are unstable
 or that suffer regular outages. Network stability and integrity are key concerns with
 distributed trusted domains.
 </p><div class="sect2" title="Browsing of Trusted Domain Fails"><div class="titlepage"><div><div><h3 class="title"><a name="id2627329"></a>Browsing of Trusted Domain Fails</h3></div></div></div><p>
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2621243"></a>Browsing of Trusted Domain Fails</h3></div></div></div><p>
 <span class="emphasis"><em>Browsing from a machine in a trusted Windows 200x domain to a Windows 200x member of
 a trusting Samba domain, I get the following error:</em></span>
 …
 the domain.  If you are running as an account that has privileges to do this
 when you unjoin the machine, it is done; otherwise it is not done.
 </p></div><div class="sect2" title="Problems with LDAP ldapsam and Older Versions of smbldap-tools"><div class="titlepage"><div><div><h3 class="title"><a name="id2627375"></a>Problems with LDAP ldapsam and Older Versions of smbldap-tools</h3></div></div></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2621289"></a>Problems with LDAP ldapsam and Older Versions of smbldap-tools</h3></div></div></div><p>
 If you use the <code class="literal">smbldap-useradd</code> script to create a trust
 account to set up interdomain trusts, the process of setting up the trust will

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 411 for branches/samba-3.3.x/docs/htmldocs/Samba3-HOWTO/InterdomainTrusts.html

Legend:

branches/samba-3.3.x/docs/htmldocs/Samba3-HOWTO/InterdomainTrusts.html

Download in other formats: