- Timestamp:
- Nov 12, 2012, 7:37:04 PM (13 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/samba-3.5.x/docs/htmldocs/Samba3-HOWTO/InterdomainTrusts.html
r599 r739 1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 19. Interdomain Trust Relationships</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="securing-samba.html" title="Chapter 18. Securing Samba"><link rel="next" href="msdfs.html" title="Chapter 20. Hosting a Microsoft Distributed File System Tree"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 19. Interdomain Trust Relationships</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 19. Interdomain Trust Relationships"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 19. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:mimir@samba.org">mimir@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>></code></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="InterdomainTrusts.html#id38 6823">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id387143">Native MS Windows NT4 Trusts Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id387177">Creating an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id387268">Completing an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id387348">Interdomain Trust Facilities</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id387544">Configuring Samba NT-Style Domain Trusts</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id387860">Samba as the Trusting Domain</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id388043">NT4-Style Domain Trusts with Windows 2000</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id388180">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id388191">Browsing of Trusted Domain Fails</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id388228">Problems with LDAP ldapsam and Older Versions of smbldap-tools</a></span></dt></dl></dd></dl></div><p>2 <a class="indexterm" name="id38 6616"></a>3 <a class="indexterm" name="id38 6623"></a>4 <a class="indexterm" name="id38 6630"></a>5 <a class="indexterm" name="id38 6636"></a>6 <a class="indexterm" name="id38 6643"></a>7 <a class="indexterm" name="id38 6649"></a>8 <a class="indexterm" name="id38 6656"></a>9 <a class="indexterm" name="id38 6663"></a>10 <a class="indexterm" name="id38 6670"></a>1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 19. Interdomain Trust Relationships</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="securing-samba.html" title="Chapter 18. Securing Samba"><link rel="next" href="msdfs.html" title="Chapter 20. Hosting a Microsoft Distributed File System Tree"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 19. Interdomain Trust Relationships</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 19. Interdomain Trust Relationships"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 19. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:mimir@samba.org">mimir@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>></code></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="InterdomainTrusts.html#id384968">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id385034">Trust Relationship Background</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id385289">Native MS Windows NT4 Trusts Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id385323">Creating an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id385412">Completing an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id385492">Interdomain Trust Facilities</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id385688">Configuring Samba NT-Style Domain Trusts</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id386004">Samba as the Trusting Domain</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id386187">NT4-Style Domain Trusts with Windows 2000</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id386324">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id386334">Browsing of Trusted Domain Fails</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id386371">Problems with LDAP ldapsam and Older Versions of smbldap-tools</a></span></dt></dl></dd></dl></div><p> 2 <a class="indexterm" name="id384761"></a> 3 <a class="indexterm" name="id384768"></a> 4 <a class="indexterm" name="id384774"></a> 5 <a class="indexterm" name="id384781"></a> 6 <a class="indexterm" name="id384788"></a> 7 <a class="indexterm" name="id384795"></a> 8 <a class="indexterm" name="id384802"></a> 9 <a class="indexterm" name="id384808"></a> 10 <a class="indexterm" name="id384815"></a> 11 11 Samba-3 supports NT4-style domain trust relationships. This is a feature that many sites 12 12 will want to use if they migrate to Samba-3 from an NT4-style domain and do not want to … … 16 16 trusts. 17 17 </p><p> 18 <a class="indexterm" name="id38 6683"></a>19 <a class="indexterm" name="id38 6690"></a>20 <a class="indexterm" name="id38 6697"></a>21 <a class="indexterm" name="id38 6704"></a>22 <a class="indexterm" name="id38 6711"></a>18 <a class="indexterm" name="id384829"></a> 19 <a class="indexterm" name="id384836"></a> 20 <a class="indexterm" name="id384842"></a> 21 <a class="indexterm" name="id384849"></a> 22 <a class="indexterm" name="id384856"></a> 23 23 The use of interdomain trusts requires use of <code class="literal">winbind</code>, so the 24 24 <code class="literal">winbindd</code> daemon must be running. Winbind operation in this mode is 25 25 dependent on the specification of a valid UID range and a valid GID range in the <code class="filename">smb.conf</code> file. 26 26 These are specified respectively using: 27 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id38 6743"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id386754"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr></table><p>28 <a class="indexterm" name="id38 6766"></a>29 <a class="indexterm" name="id38 6772"></a>30 <a class="indexterm" name="id38 6779"></a>31 <a class="indexterm" name="id38 6786"></a>27 </p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id384888"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id384900"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr></table><p> 28 <a class="indexterm" name="id384911"></a> 29 <a class="indexterm" name="id384918"></a> 30 <a class="indexterm" name="id384925"></a> 31 <a class="indexterm" name="id384931"></a> 32 32 The range of values specified must not overlap values used by the host operating system and must 33 33 not overlap values used in the passdb backend for POSIX user accounts. The maximum value is … … 36 36 (32-bit unsigned variable). 37 37 </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 38 <a class="indexterm" name="id38 6801"></a>39 <a class="indexterm" name="id38 6807"></a>40 <a class="indexterm" name="id38 6814"></a>38 <a class="indexterm" name="id384946"></a> 39 <a class="indexterm" name="id384953"></a> 40 <a class="indexterm" name="id384960"></a> 41 41 The use of winbind is necessary only when Samba is the trusting domain, not when it is the 42 42 trusted domain. 43 </p></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id38 6823"></a>Features and Benefits</h2></div></div></div><p>44 <a class="indexterm" name="id38 6831"></a>45 <a class="indexterm" name="id38 6838"></a>43 </p></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id384968"></a>Features and Benefits</h2></div></div></div><p> 44 <a class="indexterm" name="id384976"></a> 45 <a class="indexterm" name="id384983"></a> 46 46 Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4-style 47 47 trust relationships. This imparts to Samba scalability similar to that with MS Windows NT4. 48 48 </p><p> 49 <a class="indexterm" name="id38 6849"></a>50 <a class="indexterm" name="id38 6856"></a>51 <a class="indexterm" name="id38 6863"></a>52 <a class="indexterm" name="id38 6870"></a>53 <a class="indexterm" name="id38 6876"></a>49 <a class="indexterm" name="id384995"></a> 50 <a class="indexterm" name="id385001"></a> 51 <a class="indexterm" name="id385008"></a> 52 <a class="indexterm" name="id385015"></a> 53 <a class="indexterm" name="id385022"></a> 54 54 Given that Samba-3 can function with a scalable backend authentication database such as LDAP, and given its 55 55 ability to run in primary as well as backup domain control modes, the administrator would be well-advised to … … 57 57 function, this system is fragile. That was, after all, a key reason for the development and adoption of 58 58 Microsoft Active Directory. 59 </p></div><div class="sect1" title="Trust Relationship Background"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id38 6889"></a>Trust Relationship Background</h2></div></div></div><p>60 <a class="indexterm" name="id38 6897"></a>61 <a class="indexterm" name="id38 6904"></a>62 <a class="indexterm" name="id38 6910"></a>63 <a class="indexterm" name="id38 6917"></a>64 <a class="indexterm" name="id38 6924"></a>65 <a class="indexterm" name="id38 6931"></a>59 </p></div><div class="sect1" title="Trust Relationship Background"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id385034"></a>Trust Relationship Background</h2></div></div></div><p> 60 <a class="indexterm" name="id385042"></a> 61 <a class="indexterm" name="id385049"></a> 62 <a class="indexterm" name="id385056"></a> 63 <a class="indexterm" name="id385063"></a> 64 <a class="indexterm" name="id385069"></a> 65 <a class="indexterm" name="id385076"></a> 66 66 MS Windows NT3/4-type security domains employ a nonhierarchical security structure. 67 67 The limitations of this architecture as it effects the scalability of MS Windows networking … … 70 70 large and diverse organizations. 71 71 </p><p> 72 <a class="indexterm" name="id38 6944"></a>73 <a class="indexterm" name="id38 6951"></a>74 <a class="indexterm" name="id38 6958"></a>75 <a class="indexterm" name="id38 6964"></a>76 <a class="indexterm" name="id38 6971"></a>72 <a class="indexterm" name="id385090"></a> 73 <a class="indexterm" name="id385096"></a> 74 <a class="indexterm" name="id385103"></a> 75 <a class="indexterm" name="id385110"></a> 76 <a class="indexterm" name="id385117"></a> 77 77 Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means 78 78 of circumventing the limitations of the older technologies. Not every organization is ready … … 81 81 desire to go through a disruptive change to adopt ADS. 82 82 </p><p> 83 <a class="indexterm" name="id38 6985"></a>84 <a class="indexterm" name="id38 6992"></a>85 <a class="indexterm" name="id38 6998"></a>86 <a class="indexterm" name="id38 7005"></a>87 <a class="indexterm" name="id38 7012"></a>88 <a class="indexterm" name="id38 7019"></a>89 <a class="indexterm" name="id38 7026"></a>83 <a class="indexterm" name="id385130"></a> 84 <a class="indexterm" name="id385137"></a> 85 <a class="indexterm" name="id385144"></a> 86 <a class="indexterm" name="id385151"></a> 87 <a class="indexterm" name="id385157"></a> 88 <a class="indexterm" name="id385164"></a> 89 <a class="indexterm" name="id385171"></a> 90 90 With Windows NT, Microsoft introduced the ability to allow different security domains 91 91 to effect a mechanism so users from one domain may be given access rights and privileges … … 98 98 necessary to establish two relationships, one in each direction. 99 99 </p><p> 100 <a class="indexterm" name="id38 7049"></a>101 <a class="indexterm" name="id38 7056"></a>102 <a class="indexterm" name="id38 7063"></a>103 <a class="indexterm" name="id38 7070"></a>104 <a class="indexterm" name="id38 7076"></a>100 <a class="indexterm" name="id385194"></a> 101 <a class="indexterm" name="id385201"></a> 102 <a class="indexterm" name="id385208"></a> 103 <a class="indexterm" name="id385215"></a> 104 <a class="indexterm" name="id385222"></a> 105 105 Further, in an NT4-style MS security domain, all trusts are nontransitive. This means that if there are three 106 106 domains (let's call them red, white, and blue), where red and white have a trust relationship, and white and … … 108 108 Relationships are explicit and not transitive. 109 109 </p><p> 110 <a class="indexterm" name="id38 7090"></a>111 <a class="indexterm" name="id38 7096"></a>112 <a class="indexterm" name="id38 7103"></a>113 <a class="indexterm" name="id38 7110"></a>114 <a class="indexterm" name="id38 7117"></a>115 <a class="indexterm" name="id38 7123"></a>116 <a class="indexterm" name="id38 7130"></a>110 <a class="indexterm" name="id385235"></a> 111 <a class="indexterm" name="id385242"></a> 112 <a class="indexterm" name="id385248"></a> 113 <a class="indexterm" name="id385255"></a> 114 <a class="indexterm" name="id385262"></a> 115 <a class="indexterm" name="id385269"></a> 116 <a class="indexterm" name="id385276"></a> 117 117 New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way by default. 118 118 Also, all inter-ADS domain trusts are transitive. In the case of the red, white, and blue domains, with … … 120 120 domains. Samba-3 implements MS Windows NT4-style interdomain trusts and interoperates with MS Windows 200x ADS 121 121 security domains in similar manner to MS Windows NT4-style domains. 122 </p></div><div class="sect1" title="Native MS Windows NT4 Trusts Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id38 7143"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div></div><p>123 <a class="indexterm" name="id38 7151"></a>124 <a class="indexterm" name="id38 7161"></a>125 <a class="indexterm" name="id38 7167"></a>122 </p></div><div class="sect1" title="Native MS Windows NT4 Trusts Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id385289"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div></div><p> 123 <a class="indexterm" name="id385297"></a> 124 <a class="indexterm" name="id385306"></a> 125 <a class="indexterm" name="id385313"></a> 126 126 There are two steps to creating an interdomain trust relationship. To effect a two-way trust 127 127 relationship, it is necessary for each domain administrator to create a trust account for the 128 128 other domain to use in verifying security credentials. 129 </p><div class="sect2" title="Creating an NT4 Domain Trust"><div class="titlepage"><div><div><h3 class="title"><a name="id38 7177"></a>Creating an NT4 Domain Trust</h3></div></div></div><p>130 <a class="indexterm" name="id38 7185"></a>131 <a class="indexterm" name="id38 7192"></a>132 <a class="indexterm" name="id38 7199"></a>133 <a class="indexterm" name="id38 7206"></a>134 <a class="indexterm" name="id38 7213"></a>129 </p><div class="sect2" title="Creating an NT4 Domain Trust"><div class="titlepage"><div><div><h3 class="title"><a name="id385323"></a>Creating an NT4 Domain Trust</h3></div></div></div><p> 130 <a class="indexterm" name="id385331"></a> 131 <a class="indexterm" name="id385337"></a> 132 <a class="indexterm" name="id385344"></a> 133 <a class="indexterm" name="id385351"></a> 134 <a class="indexterm" name="id385358"></a> 135 135 For MS Windows NT4, all domain trust relationships are configured using the 136 136 <span class="application">Domain User Manager</span>. This is done from the Domain User Manager Policies … … 143 143 trusting domain will use when authenticating users from the trusted domain. 144 144 The password needs to be typed twice (for standard confirmation). 145 </p></div><div class="sect2" title="Completing an NT4 Domain Trust"><div class="titlepage"><div><div><h3 class="title"><a name="id38 7268"></a>Completing an NT4 Domain Trust</h3></div></div></div><p>146 <a class="indexterm" name="id38 7276"></a>147 <a class="indexterm" name="id38 7282"></a>148 <a class="indexterm" name="id38 7289"></a>149 <a class="indexterm" name="id38 7296"></a>150 <a class="indexterm" name="id38 7303"></a>151 <a class="indexterm" name="id38 7310"></a>145 </p></div><div class="sect2" title="Completing an NT4 Domain Trust"><div class="titlepage"><div><div><h3 class="title"><a name="id385412"></a>Completing an NT4 Domain Trust</h3></div></div></div><p> 146 <a class="indexterm" name="id385420"></a> 147 <a class="indexterm" name="id385427"></a> 148 <a class="indexterm" name="id385434"></a> 149 <a class="indexterm" name="id385440"></a> 150 <a class="indexterm" name="id385447"></a> 151 <a class="indexterm" name="id385454"></a> 152 152 A trust relationship will work only when the other (trusting) domain makes the appropriate connections 153 153 with the trusted domain. To consummate the trust relationship, the administrator launches the … … 156 156 next to the box that is labeled <span class="guilabel">Trusted Domains</span>. A panel opens in which 157 157 must be entered the name of the remote domain as well as the password assigned to that trust. 158 </p></div><div class="sect2" title="Interdomain Trust Facilities"><div class="titlepage"><div><div><h3 class="title"><a name="id38 7348"></a>Interdomain Trust Facilities</h3></div></div></div><p>159 <a class="indexterm" name="id38 7356"></a>160 <a class="indexterm" name="id38 7362"></a>161 <a class="indexterm" name="id38 7369"></a>162 <a class="indexterm" name="id38 7376"></a>163 <a class="indexterm" name="id38 7383"></a>164 <a class="indexterm" name="id38 7390"></a>158 </p></div><div class="sect2" title="Interdomain Trust Facilities"><div class="titlepage"><div><div><h3 class="title"><a name="id385492"></a>Interdomain Trust Facilities</h3></div></div></div><p> 159 <a class="indexterm" name="id385500"></a> 160 <a class="indexterm" name="id385507"></a> 161 <a class="indexterm" name="id385514"></a> 162 <a class="indexterm" name="id385521"></a> 163 <a class="indexterm" name="id385527"></a> 164 <a class="indexterm" name="id385534"></a> 165 165 A two-way trust relationship is created when two one-way trusts are created, one in each direction. 166 166 Where a one-way trust has been established between two MS Windows NT4 domains (let's call them … … 202 202 Global groups from the trusted domain can be made members in local groups on 203 203 MS Windows domain member machines. 204 </p></li></ul></div></div></div><div class="sect1" title="Configuring Samba NT-Style Domain Trusts"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id38 7544"></a>Configuring Samba NT-Style Domain Trusts</h2></div></div></div><p>205 <a class="indexterm" name="id38 7552"></a>204 </p></li></ul></div></div></div><div class="sect1" title="Configuring Samba NT-Style Domain Trusts"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id385688"></a>Configuring Samba NT-Style Domain Trusts</h2></div></div></div><p> 205 <a class="indexterm" name="id385696"></a> 206 206 This description is meant to be a fairly short introduction about how to set up a Samba server so 207 207 that it can participate in interdomain trust relationships. Trust relationship support in Samba 208 208 is at an early stage, so do not be surprised if something does not function as it should. 209 209 </p><p> 210 <a class="indexterm" name="id38 7565"></a>211 <a class="indexterm" name="id38 7572"></a>212 <a class="indexterm" name="id38 7578"></a>213 <a class="indexterm" name="id38 7585"></a>210 <a class="indexterm" name="id385708"></a> 211 <a class="indexterm" name="id385715"></a> 212 <a class="indexterm" name="id385722"></a> 213 <a class="indexterm" name="id385729"></a> 214 214 Each of the procedures described next assumes the peer domain in the trust relationship is controlled by a 215 215 Windows NT4 server. However, the remote end could just as well be another Samba-3 domain. It can be clearly … … 217 217 sections leads to trust between domains in a purely Samba environment. 218 218 </p><div class="sect2" title="Samba as the Trusted Domain"><div class="titlepage"><div><div><h3 class="title"><a name="samba-trusted-domain"></a>Samba as the Trusted Domain</h3></div></div></div><p> 219 <a class="indexterm" name="id38 7608"></a>220 <a class="indexterm" name="id38 7615"></a>221 <a class="indexterm" name="id38 7622"></a>222 <a class="indexterm" name="id38 7628"></a>223 <a class="indexterm" name="id38 7635"></a>219 <a class="indexterm" name="id385752"></a> 220 <a class="indexterm" name="id385758"></a> 221 <a class="indexterm" name="id385765"></a> 222 <a class="indexterm" name="id385772"></a> 223 <a class="indexterm" name="id385779"></a> 224 224 In order to set the Samba PDC to be the trusted party of the relationship, you first need 225 225 to create a special account for the domain that will be the trusting party. To do that, … … 240 240 account with the Interdomain trust flag</span>”</span>. 241 241 </p><p> 242 <a class="indexterm" name="id38 7699"></a>243 <a class="indexterm" name="id38 7706"></a>244 <a class="indexterm" name="id38 7713"></a>245 <a class="indexterm" name="id38 7719"></a>242 <a class="indexterm" name="id385843"></a> 243 <a class="indexterm" name="id385850"></a> 244 <a class="indexterm" name="id385856"></a> 245 <a class="indexterm" name="id385863"></a> 246 246 The account name will be <span class="quote">“<span class="quote">rumba$</span>”</span> (the name of the remote domain). 247 247 If this fails, you should check that the trust account has been added to the system … … 249 249 can add it manually and then repeat the previous step. 250 250 </p><p> 251 <a class="indexterm" name="id38 7741"></a>252 <a class="indexterm" name="id38 7748"></a>253 <a class="indexterm" name="id38 7755"></a>254 <a class="indexterm" name="id38 7762"></a>251 <a class="indexterm" name="id385885"></a> 252 <a class="indexterm" name="id385892"></a> 253 <a class="indexterm" name="id385899"></a> 254 <a class="indexterm" name="id385905"></a> 255 255 After issuing this command, you will be asked to enter the password for the account. You can use any password 256 256 you want, but be aware that Windows NT will not change this password until 7 days following account creation. … … 260 260 Windows NT Server. 261 261 </p><p> 262 <a class="indexterm" name="id38 7780"></a>263 <a class="indexterm" name="id38 7786"></a>264 <a class="indexterm" name="id38 7793"></a>265 <a class="indexterm" name="id38 7800"></a>266 <a class="indexterm" name="id38 7807"></a>262 <a class="indexterm" name="id385923"></a> 263 <a class="indexterm" name="id385930"></a> 264 <a class="indexterm" name="id385937"></a> 265 <a class="indexterm" name="id385944"></a> 266 <a class="indexterm" name="id385951"></a> 267 267 Open <span class="application">User Manager for Domains</span> and from the <span class="guimenu">Policies</span> menu, select 268 268 <span class="guimenuitem">Trust Relationships...</span>. Beside the <span class="guilabel">Trusted domains</span> list box, … … 271 271 time of account creation. Click on <span class="guibutton">OK</span> and, if everything went without incident, you 272 272 will see the <code class="computeroutput">Trusted domain relationship successfully established</code> message. 273 </p></div><div class="sect2" title="Samba as the Trusting Domain"><div class="titlepage"><div><div><h3 class="title"><a name="id38 7860"></a>Samba as the Trusting Domain</h3></div></div></div><p>274 <a class="indexterm" name="id38 7868"></a>275 <a class="indexterm" name="id38 7875"></a>273 </p></div><div class="sect2" title="Samba as the Trusting Domain"><div class="titlepage"><div><div><h3 class="title"><a name="id386004"></a>Samba as the Trusting Domain</h3></div></div></div><p> 274 <a class="indexterm" name="id386012"></a> 275 <a class="indexterm" name="id386019"></a> 276 276 This time activities are somewhat reversed. Again, we'll assume that your domain 277 277 controlled by the Samba PDC is called SAMBA and the NT-controlled domain is called RUMBA. … … 279 279 The very first step is to add an account for the SAMBA domain on RUMBA's PDC. 280 280 </p><p> 281 <a class="indexterm" name="id38 7890"></a>282 <a class="indexterm" name="id38 7897"></a>283 <a class="indexterm" name="id38 7904"></a>281 <a class="indexterm" name="id386034"></a> 282 <a class="indexterm" name="id386041"></a> 283 <a class="indexterm" name="id386048"></a> 284 284 Launch the <span class="application">Domain User Manager</span>, then from the menu select 285 285 <span class="guimenu">Policies</span>, <span class="guimenuitem">Trust Relationships</span>. … … 288 288 the relationship. 289 289 </p><p> 290 <a class="indexterm" name="id38 7944"></a>291 <a class="indexterm" name="id38 7951"></a>290 <a class="indexterm" name="id386088"></a> 291 <a class="indexterm" name="id386095"></a> 292 292 The password can be arbitrarily chosen. It is easy to change the password from the Samba server whenever you 293 293 want. After you confirm the password, your account is ready for use. Now its Samba's turn. 294 294 </p><p> 295 295 Using your favorite shell while logged in as root, issue this command: 296 <a class="indexterm" name="id38 7964"></a>296 <a class="indexterm" name="id386108"></a> 297 297 </p><p> 298 298 <code class="prompt">root# </code><strong class="userinput"><code>net rpc trustdom establish rumba</code></strong> 299 299 </p><p> 300 <a class="indexterm" name="id38 7992"></a>301 <a class="indexterm" name="id38 7999"></a>302 <a class="indexterm" name="id38 8006"></a>300 <a class="indexterm" name="id386136"></a> 301 <a class="indexterm" name="id386142"></a> 302 <a class="indexterm" name="id386149"></a> 303 303 You will be prompted for the password you just typed on your Windows NT4 Server box. 304 304 An error message, <code class="literal">"NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT,"</code> … … 312 312 You have to run this command as root because you must have write access to 313 313 the <code class="filename">secrets.tdb</code> file. 314 </p></div></div></div><div class="sect1" title="NT4-Style Domain Trusts with Windows 2000"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id38 8043"></a>NT4-Style Domain Trusts with Windows 2000</h2></div></div></div><p>315 <a class="indexterm" name="id38 8051"></a>316 <a class="indexterm" name="id38 8058"></a>317 <a class="indexterm" name="id38 8065"></a>318 <a class="indexterm" name="id38 8072"></a>314 </p></div></div></div><div class="sect1" title="NT4-Style Domain Trusts with Windows 2000"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id386187"></a>NT4-Style Domain Trusts with Windows 2000</h2></div></div></div><p> 315 <a class="indexterm" name="id386195"></a> 316 <a class="indexterm" name="id386202"></a> 317 <a class="indexterm" name="id386208"></a> 318 <a class="indexterm" name="id386215"></a> 319 319 Although <span class="application">Domain User Manager</span> is not present in Windows 2000, it is 320 320 also possible to establish an NT4-style trust relationship with a Windows 2000 domain … … 322 322 Samba to trust a Windows 2000 server; however, more testing is still needed in this area. 323 323 </p><p> 324 <a class="indexterm" name="id38 8090"></a>325 <a class="indexterm" name="id38 8097"></a>326 <a class="indexterm" name="id38 8104"></a>327 <a class="indexterm" name="id38 8111"></a>324 <a class="indexterm" name="id386234"></a> 325 <a class="indexterm" name="id386241"></a> 326 <a class="indexterm" name="id386248"></a> 327 <a class="indexterm" name="id386254"></a> 328 328 After <a class="link" href="InterdomainTrusts.html#samba-trusted-domain" title="Samba as the Trusted Domain">creating the interdomain trust account on the Samba server</a> 329 329 as described previously, open <span class="application">Active Directory Domains and Trusts</span> on the AD … … 339 339 <code class="computeroutput">The trusted domain has been added and the trust has been verified.</code> Your 340 340 Samba users can now be granted access to resources in the AD domain. 341 </p></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id38 8180"></a>Common Errors</h2></div></div></div><p>341 </p></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id386324"></a>Common Errors</h2></div></div></div><p> 342 342 Interdomain trust relationships should not be attempted on networks that are unstable 343 343 or that suffer regular outages. Network stability and integrity are key concerns with 344 344 distributed trusted domains. 345 </p><div class="sect2" title="Browsing of Trusted Domain Fails"><div class="titlepage"><div><div><h3 class="title"><a name="id38 8191"></a>Browsing of Trusted Domain Fails</h3></div></div></div><p>345 </p><div class="sect2" title="Browsing of Trusted Domain Fails"><div class="titlepage"><div><div><h3 class="title"><a name="id386334"></a>Browsing of Trusted Domain Fails</h3></div></div></div><p> 346 346 <span class="emphasis"><em>Browsing from a machine in a trusted Windows 200x domain to a Windows 200x member of 347 347 a trusting Samba domain, I get the following error:</em></span> … … 361 361 the domain. If you are running as an account that has privileges to do this 362 362 when you unjoin the machine, it is done; otherwise it is not done. 363 </p></div><div class="sect2" title="Problems with LDAP ldapsam and Older Versions of smbldap-tools"><div class="titlepage"><div><div><h3 class="title"><a name="id38 8228"></a>Problems with LDAP ldapsam and Older Versions of smbldap-tools</h3></div></div></div><p>363 </p></div><div class="sect2" title="Problems with LDAP ldapsam and Older Versions of smbldap-tools"><div class="titlepage"><div><div><h3 class="title"><a name="id386371"></a>Problems with LDAP ldapsam and Older Versions of smbldap-tools</h3></div></div></div><p> 364 364 If you use the <code class="literal">smbldap-useradd</code> script to create a trust 365 365 account to set up interdomain trusts, the process of setting up the trust will
Note:
See TracChangeset
for help on using the changeset viewer.