+++ /dev/null
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 19. Interdomain Trust Relationships</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="securing-samba.html" title="Chapter 18. Securing Samba"><link rel="next" href="msdfs.html" title="Chapter 20. Hosting a Microsoft Distributed File System Tree"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 19. Interdomain Trust Relationships</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 19. Interdomain Trust Relationships"><div class="titlepage"><div><div><h2 class="title"><a name="InterdomainTrusts"></a>Chapter 19. Interdomain Trust Relationships</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Rafal</span> <span class="surname">Szczesniak</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:mimir@samba.org">mimir@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><span class="contrib">drawing</span> <div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>></code></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="InterdomainTrusts.html#id386823">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id386889">Trust Relationship Background</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id387144">Native MS Windows NT4 Trusts Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id387178">Creating an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id387268">Completing an NT4 Domain Trust</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id387348">Interdomain Trust Facilities</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id387544">Configuring Samba NT-Style Domain Trusts</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#samba-trusted-domain">Samba as the Trusted Domain</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id387860">Samba as the Trusting Domain</a></span></dt></dl></dd><dt><span class="sect1"><a href="InterdomainTrusts.html#id388043">NT4-Style Domain Trusts with Windows 2000</a></span></dt><dt><span class="sect1"><a href="InterdomainTrusts.html#id388180">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="InterdomainTrusts.html#id388191">Browsing of Trusted Domain Fails</a></span></dt><dt><span class="sect2"><a href="InterdomainTrusts.html#id388228">Problems with LDAP ldapsam and Older Versions of smbldap-tools</a></span></dt></dl></dd></dl></div><p>
-<a class="indexterm" name="id386616"></a>
-<a class="indexterm" name="id386623"></a>
-<a class="indexterm" name="id386630"></a>
-<a class="indexterm" name="id386636"></a>
-<a class="indexterm" name="id386643"></a>
-<a class="indexterm" name="id386650"></a>
-<a class="indexterm" name="id386656"></a>
-<a class="indexterm" name="id386663"></a>
-<a class="indexterm" name="id386670"></a>
-Samba-3 supports NT4-style domain trust relationships. This is a feature that many sites
-will want to use if they migrate to Samba-3 from an NT4-style domain and do not want to
-adopt Active Directory or an LDAP-based authentication backend. This chapter explains
-some background information regarding trust relationships and how to create them. It is now
-possible for Samba-3 to trust NT4 (and vice versa), as well as to create Samba-to-Samba
-trusts.
-</p><p>
-<a class="indexterm" name="id386684"></a>
-<a class="indexterm" name="id386690"></a>
-<a class="indexterm" name="id386697"></a>
-<a class="indexterm" name="id386704"></a>
-<a class="indexterm" name="id386711"></a>
-The use of interdomain trusts requires use of <code class="literal">winbind</code>, so the
-<code class="literal">winbindd</code> daemon must be running. Winbind operation in this mode is
-dependent on the specification of a valid UID range and a valid GID range in the <code class="filename">smb.conf</code> file.
-These are specified respectively using:
-</p><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id386743"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id386754"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr></table><p>
-<a class="indexterm" name="id386766"></a>
-<a class="indexterm" name="id386773"></a>
-<a class="indexterm" name="id386779"></a>
-<a class="indexterm" name="id386786"></a>
-The range of values specified must not overlap values used by the host operating system and must
-not overlap values used in the passdb backend for POSIX user accounts. The maximum value is
-limited by the upper-most value permitted by the host operating system. This is a UNIX kernel
-limited parameter. Linux kernel 2.6-based systems support a maximum value of 4294967295
-(32-bit unsigned variable).
-</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
-<a class="indexterm" name="id386801"></a>
-<a class="indexterm" name="id386808"></a>
-<a class="indexterm" name="id386814"></a>
-The use of winbind is necessary only when Samba is the trusting domain, not when it is the
-trusted domain.
-</p></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id386823"></a>Features and Benefits</h2></div></div></div><p>
-<a class="indexterm" name="id386831"></a>
-<a class="indexterm" name="id386838"></a>
-Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4-style
-trust relationships. This imparts to Samba scalability similar to that with MS Windows NT4.
-</p><p>
-<a class="indexterm" name="id386849"></a>
-<a class="indexterm" name="id386856"></a>
-<a class="indexterm" name="id386863"></a>
-<a class="indexterm" name="id386870"></a>
-<a class="indexterm" name="id386877"></a>
-Given that Samba-3 can function with a scalable backend authentication database such as LDAP, and given its
-ability to run in primary as well as backup domain control modes, the administrator would be well-advised to
-consider alternatives to the use of interdomain trusts simply because, by the very nature of how trusts
-function, this system is fragile. That was, after all, a key reason for the development and adoption of
-Microsoft Active Directory.
-</p></div><div class="sect1" title="Trust Relationship Background"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id386889"></a>Trust Relationship Background</h2></div></div></div><p>
-<a class="indexterm" name="id386897"></a>
-<a class="indexterm" name="id386904"></a>
-<a class="indexterm" name="id386911"></a>
-<a class="indexterm" name="id386917"></a>
-<a class="indexterm" name="id386924"></a>
-<a class="indexterm" name="id386931"></a>
-MS Windows NT3/4-type security domains employ a nonhierarchical security structure.
-The limitations of this architecture as it effects the scalability of MS Windows networking
-in large organizations is well known. Additionally, the flat namespace that results from
-this design significantly impacts the delegation of administrative responsibilities in
-large and diverse organizations.
-</p><p>
-<a class="indexterm" name="id386944"></a>
-<a class="indexterm" name="id386951"></a>
-<a class="indexterm" name="id386958"></a>
-<a class="indexterm" name="id386965"></a>
-<a class="indexterm" name="id386971"></a>
-Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means
-of circumventing the limitations of the older technologies. Not every organization is ready
-or willing to embrace ADS. For small companies the older NT4-style domain security paradigm
-is quite adequate, and so there remains an entrenched user base for whom there is no direct
-desire to go through a disruptive change to adopt ADS.
-</p><p>
-<a class="indexterm" name="id386985"></a>
-<a class="indexterm" name="id386992"></a>
-<a class="indexterm" name="id386999"></a>
-<a class="indexterm" name="id387005"></a>
-<a class="indexterm" name="id387012"></a>
-<a class="indexterm" name="id387019"></a>
-<a class="indexterm" name="id387026"></a>
-With Windows NT, Microsoft introduced the ability to allow different security domains
-to effect a mechanism so users from one domain may be given access rights and privileges
-in another domain. The language that describes this capability is couched in terms of
-<span class="emphasis"><em>trusts</em></span>. Specifically, one domain will <span class="emphasis"><em>trust</em></span> the users
-from another domain. The domain from which users can access another security domain is
-said to be a trusted domain. The domain in which those users have assigned rights and privileges
-is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only,
-so if users in both domains are to have privileges and rights in each others' domain, then it is
-necessary to establish two relationships, one in each direction.
-</p><p>
-<a class="indexterm" name="id387049"></a>
-<a class="indexterm" name="id387056"></a>
-<a class="indexterm" name="id387063"></a>
-<a class="indexterm" name="id387070"></a>
-<a class="indexterm" name="id387076"></a>
-Further, in an NT4-style MS security domain, all trusts are nontransitive. This means that if there are three
-domains (let's call them red, white, and blue), where red and white have a trust relationship, and white and
-blue have a trust relationship, then it holds that there is no implied trust between the red and blue domains.
-Relationships are explicit and not transitive.
-</p><p>
-<a class="indexterm" name="id387090"></a>
-<a class="indexterm" name="id387096"></a>
-<a class="indexterm" name="id387103"></a>
-<a class="indexterm" name="id387110"></a>
-<a class="indexterm" name="id387117"></a>
-<a class="indexterm" name="id387124"></a>
-<a class="indexterm" name="id387130"></a>
-New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way by default.
-Also, all inter-ADS domain trusts are transitive. In the case of the red, white, and blue domains, with
-Windows 2000 and ADS, the red and blue domains can trust each other. This is an inherent feature of ADS
-domains. Samba-3 implements MS Windows NT4-style interdomain trusts and interoperates with MS Windows 200x ADS
-security domains in similar manner to MS Windows NT4-style domains.
-</p></div><div class="sect1" title="Native MS Windows NT4 Trusts Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id387144"></a>Native MS Windows NT4 Trusts Configuration</h2></div></div></div><p>
-<a class="indexterm" name="id387152"></a>
-<a class="indexterm" name="id387161"></a>
-<a class="indexterm" name="id387168"></a>
-There are two steps to creating an interdomain trust relationship. To effect a two-way trust
-relationship, it is necessary for each domain administrator to create a trust account for the
-other domain to use in verifying security credentials.
-</p><div class="sect2" title="Creating an NT4 Domain Trust"><div class="titlepage"><div><div><h3 class="title"><a name="id387178"></a>Creating an NT4 Domain Trust</h3></div></div></div><p>
-<a class="indexterm" name="id387185"></a>
-<a class="indexterm" name="id387192"></a>
-<a class="indexterm" name="id387199"></a>
-<a class="indexterm" name="id387206"></a>
-<a class="indexterm" name="id387213"></a>
-For MS Windows NT4, all domain trust relationships are configured using the
-<span class="application">Domain User Manager</span>. This is done from the Domain User Manager Policies
-entry on the menu bar. From the <span class="guimenu">Policy</span> menu, select
-<span class="guimenuitem">Trust Relationships</span>. Next to the lower box labeled
-<span class="guilabel">Permitted to Trust this Domain</span> are two buttons, <span class="guibutton">Add</span>
-and <span class="guibutton">Remove</span>. The <span class="guibutton">Add</span> button will open a panel in which
-to enter the name of the remote domain that will be able to assign access rights to users in
-your domain. You will also need to enter a password for this trust relationship, which the
-trusting domain will use when authenticating users from the trusted domain.
-The password needs to be typed twice (for standard confirmation).
-</p></div><div class="sect2" title="Completing an NT4 Domain Trust"><div class="titlepage"><div><div><h3 class="title"><a name="id387268"></a>Completing an NT4 Domain Trust</h3></div></div></div><p>
-<a class="indexterm" name="id387276"></a>
-<a class="indexterm" name="id387282"></a>
-<a class="indexterm" name="id387289"></a>
-<a class="indexterm" name="id387296"></a>
-<a class="indexterm" name="id387303"></a>
-<a class="indexterm" name="id387310"></a>
-A trust relationship will work only when the other (trusting) domain makes the appropriate connections
-with the trusted domain. To consummate the trust relationship, the administrator launches the
-Domain User Manager from the menu selects <span class="guilabel">Policies</span>, then select
-<span class="guilabel">Trust Relationships</span>, and clicks on the <span class="guibutton">Add</span> button
-next to the box that is labeled <span class="guilabel">Trusted Domains</span>. A panel opens in which
-must be entered the name of the remote domain as well as the password assigned to that trust.
-</p></div><div class="sect2" title="Interdomain Trust Facilities"><div class="titlepage"><div><div><h3 class="title"><a name="id387348"></a>Interdomain Trust Facilities</h3></div></div></div><p>
-<a class="indexterm" name="id387356"></a>
-<a class="indexterm" name="id387363"></a>
-<a class="indexterm" name="id387369"></a>
-<a class="indexterm" name="id387376"></a>
-<a class="indexterm" name="id387383"></a>
-<a class="indexterm" name="id387390"></a>
-A two-way trust relationship is created when two one-way trusts are created, one in each direction.
-Where a one-way trust has been established between two MS Windows NT4 domains (let's call them
-DomA and DomB), the following facilities are created:
-</p><div class="figure"><a name="trusts1"></a><p class="title"><b>Figure 19.1. Trusts overview.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/trusts1.png" alt="Trusts overview."></div></div></div><br class="figure-break"><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
- DomA (completes the trust connection) <em class="parameter"><code>Trusts</code></em> DomB.
- </p></li><li class="listitem"><p>
- DomA is the <em class="parameter"><code>Trusting</code></em> domain.
- </p></li><li class="listitem"><p>
- DomB is the <em class="parameter"><code>Trusted</code></em> domain (originates the trust account).
- </p></li><li class="listitem"><p>
- Users in DomB can access resources in DomA.
- </p></li><li class="listitem"><p>
- Users in DomA cannot access resources in DomB.
- </p></li><li class="listitem"><p>
- Global groups from DomB can be used in DomA.
- </p></li><li class="listitem"><p>
- Global groups from DomA cannot be used in DomB.
- </p></li><li class="listitem"><p>
- DomB does appear in the logon dialog box on client workstations in DomA.
- </p></li><li class="listitem"><p>
- DomA does not appear in the logon dialog box on client workstations in DomB.
- </p></li></ul></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
- Users and groups in a trusting domain cannot be granted rights, permissions, or access
- to a trusted domain.
- </p></li><li class="listitem"><p>
- The trusting domain can access and use accounts (users/global groups) in the
- trusted domain.
- </p></li><li class="listitem"><p>
- Administrators of the trusted domain can be granted administrative rights in the
- trusting domain.
- </p></li><li class="listitem"><p>
- Users in a trusted domain can be given rights and privileges in the trusting
- domain.
- </p></li><li class="listitem"><p>
- Trusted domain global groups can be given rights and permissions in the trusting
- domain.
- </p></li><li class="listitem"><p>
- Global groups from the trusted domain can be made members in local groups on
- MS Windows domain member machines.
- </p></li></ul></div></div></div><div class="sect1" title="Configuring Samba NT-Style Domain Trusts"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id387544"></a>Configuring Samba NT-Style Domain Trusts</h2></div></div></div><p>
-<a class="indexterm" name="id387552"></a>
-This description is meant to be a fairly short introduction about how to set up a Samba server so
-that it can participate in interdomain trust relationships. Trust relationship support in Samba
-is at an early stage, so do not be surprised if something does not function as it should.
-</p><p>
-<a class="indexterm" name="id387565"></a>
-<a class="indexterm" name="id387572"></a>
-<a class="indexterm" name="id387579"></a>
-<a class="indexterm" name="id387585"></a>
-Each of the procedures described next assumes the peer domain in the trust relationship is controlled by a
-Windows NT4 server. However, the remote end could just as well be another Samba-3 domain. It can be clearly
-seen, after reading this document, that combining Samba-specific parts of what's written in the following
-sections leads to trust between domains in a purely Samba environment.
-</p><div class="sect2" title="Samba as the Trusted Domain"><div class="titlepage"><div><div><h3 class="title"><a name="samba-trusted-domain"></a>Samba as the Trusted Domain</h3></div></div></div><p>
-<a class="indexterm" name="id387608"></a>
-<a class="indexterm" name="id387615"></a>
-<a class="indexterm" name="id387622"></a>
-<a class="indexterm" name="id387628"></a>
-<a class="indexterm" name="id387635"></a>
-In order to set the Samba PDC to be the trusted party of the relationship, you first need
-to create a special account for the domain that will be the trusting party. To do that,
-you can use the <code class="literal">smbpasswd</code> utility. Creating the trusted domain account is
-similar to creating a trusted machine account. Suppose, your domain is
-called SAMBA, and the remote domain is called RUMBA. The first step
-will be to issue this command from your favorite shell:
-</p><p>
-</p><pre class="screen">
-<code class="prompt">root# </code> <strong class="userinput"><code>smbpasswd -a -i rumba</code></strong>
-New SMB password: <strong class="userinput"><code>XXXXXXXX</code></strong>
-Retype SMB password: <strong class="userinput"><code>XXXXXXXX</code></strong>
-Added user rumba$
-</pre><p>
-
-where <code class="option">-a</code> means to add a new account into the
-passdb database and <code class="option">-i</code> means to <span class="quote">“<span class="quote">create this
-account with the Interdomain trust flag</span>”</span>.
-</p><p>
-<a class="indexterm" name="id387699"></a>
-<a class="indexterm" name="id387706"></a>
-<a class="indexterm" name="id387713"></a>
-<a class="indexterm" name="id387720"></a>
-The account name will be <span class="quote">“<span class="quote">rumba$</span>”</span> (the name of the remote domain).
-If this fails, you should check that the trust account has been added to the system
-password database (<code class="filename">/etc/passwd</code>). If it has not been added, you
-can add it manually and then repeat the previous step.
-</p><p>
-<a class="indexterm" name="id387741"></a>
-<a class="indexterm" name="id387748"></a>
-<a class="indexterm" name="id387755"></a>
-<a class="indexterm" name="id387762"></a>
-After issuing this command, you will be asked to enter the password for the account. You can use any password
-you want, but be aware that Windows NT will not change this password until 7 days following account creation.
-After the command returns successfully, you can look at the entry for the new account (in the standard way as
-appropriate for your configuration) and see that the account's name is really RUMBA$ and it has the
-<span class="quote">“<span class="quote">I</span>”</span> flag set in the flags field. Now you are ready to confirm the trust by establishing it from
-Windows NT Server.
-</p><p>
-<a class="indexterm" name="id387780"></a>
-<a class="indexterm" name="id387787"></a>
-<a class="indexterm" name="id387793"></a>
-<a class="indexterm" name="id387800"></a>
-<a class="indexterm" name="id387807"></a>
-Open <span class="application">User Manager for Domains</span> and from the <span class="guimenu">Policies</span> menu, select
-<span class="guimenuitem">Trust Relationships...</span>. Beside the <span class="guilabel">Trusted domains</span> list box,
-click the <span class="guimenu">Add...</span> button. You will be prompted for the trusted domain name and the
-relationship password. Type in SAMBA, as this is the name of the remote domain and the password used at the
-time of account creation. Click on <span class="guibutton">OK</span> and, if everything went without incident, you
-will see the <code class="computeroutput">Trusted domain relationship successfully established</code> message.
-</p></div><div class="sect2" title="Samba as the Trusting Domain"><div class="titlepage"><div><div><h3 class="title"><a name="id387860"></a>Samba as the Trusting Domain</h3></div></div></div><p>
-<a class="indexterm" name="id387868"></a>
-<a class="indexterm" name="id387875"></a>
-This time activities are somewhat reversed. Again, we'll assume that your domain
-controlled by the Samba PDC is called SAMBA and the NT-controlled domain is called RUMBA.
-</p><p>
-The very first step is to add an account for the SAMBA domain on RUMBA's PDC.
-</p><p>
-<a class="indexterm" name="id387890"></a>
-<a class="indexterm" name="id387897"></a>
-<a class="indexterm" name="id387904"></a>
-Launch the <span class="application">Domain User Manager</span>, then from the menu select
-<span class="guimenu">Policies</span>, <span class="guimenuitem">Trust Relationships</span>.
-Now, next to the <span class="guilabel">Trusting Domains</span> box, press the <span class="guibutton">Add</span>
-button and type in the name of the trusted domain (SAMBA) and the password to use in securing
-the relationship.
-</p><p>
-<a class="indexterm" name="id387945"></a>
-<a class="indexterm" name="id387951"></a>
-The password can be arbitrarily chosen. It is easy to change the password from the Samba server whenever you
-want. After you confirm the password, your account is ready for use. Now its Samba's turn.
-</p><p>
-Using your favorite shell while logged in as root, issue this command:
-<a class="indexterm" name="id387964"></a>
-</p><p>
-<code class="prompt">root# </code><strong class="userinput"><code>net rpc trustdom establish rumba</code></strong>
-</p><p>
-<a class="indexterm" name="id387992"></a>
-<a class="indexterm" name="id387999"></a>
-<a class="indexterm" name="id388006"></a>
-You will be prompted for the password you just typed on your Windows NT4 Server box.
-An error message, <code class="literal">"NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT,"</code>
-that may be reported periodically is of no concern and may safely be ignored.
-It means the password you gave is correct and the NT4 server says the account is ready for
-interdomain connection and not for ordinary connection. After that, be patient;
-it can take a while (especially in large networks), but eventually you should see
-the <code class="literal">Success</code> message. Congratulations! Your trust
-relationship has just been established.
-</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
-You have to run this command as root because you must have write access to
-the <code class="filename">secrets.tdb</code> file.
-</p></div></div></div><div class="sect1" title="NT4-Style Domain Trusts with Windows 2000"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id388043"></a>NT4-Style Domain Trusts with Windows 2000</h2></div></div></div><p>
-<a class="indexterm" name="id388051"></a>
-<a class="indexterm" name="id388058"></a>
-<a class="indexterm" name="id388065"></a>
-<a class="indexterm" name="id388072"></a>
-Although <span class="application">Domain User Manager</span> is not present in Windows 2000, it is
-also possible to establish an NT4-style trust relationship with a Windows 2000 domain
-controller running in mixed mode as the trusting server. It should also be possible for
-Samba to trust a Windows 2000 server; however, more testing is still needed in this area.
-</p><p>
-<a class="indexterm" name="id388090"></a>
-<a class="indexterm" name="id388097"></a>
-<a class="indexterm" name="id388104"></a>
-<a class="indexterm" name="id388111"></a>
-After <a class="link" href="InterdomainTrusts.html#samba-trusted-domain" title="Samba as the Trusted Domain">creating the interdomain trust account on the Samba server</a>
-as described previously, open <span class="application">Active Directory Domains and Trusts</span> on the AD
-controller of the domain whose resources you wish Samba users to have access to. Remember that since NT4-style
-trusts are not transitive, if you want your users to have access to multiple mixed-mode domains in your AD
-forest, you will need to repeat this process for each of those domains. With <span class="application">Active Directory
-domains and trusts</span> open, right-click on the name of the Active Directory domain that will trust
-our Samba domain and choose <span class="guimenuitem">Properties</span>, then click on the
-<span class="guilabel">Trusts</span> tab. In the upper part of the panel, you will see a list box labeled
-<span class="guilabel">Domains trusted by this domain:</span> and an <span class="guilabel">Add...</span> button next to it.
-Press this button and, just as with NT4, you will be prompted for the trusted domain name and the relationship
-password. Press <span class="emphasis"><em>OK</em></span> and after a moment, Active Directory will respond with
-<code class="computeroutput">The trusted domain has been added and the trust has been verified.</code> Your
-Samba users can now be granted access to resources in the AD domain.
-</p></div><div class="sect1" title="Common Errors"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id388180"></a>Common Errors</h2></div></div></div><p>
-Interdomain trust relationships should not be attempted on networks that are unstable
-or that suffer regular outages. Network stability and integrity are key concerns with
-distributed trusted domains.
-</p><div class="sect2" title="Browsing of Trusted Domain Fails"><div class="titlepage"><div><div><h3 class="title"><a name="id388191"></a>Browsing of Trusted Domain Fails</h3></div></div></div><p>
-<span class="emphasis"><em>Browsing from a machine in a trusted Windows 200x domain to a Windows 200x member of
-a trusting Samba domain, I get the following error:</em></span>
-</p><pre class="screen">
-The system detected a possible attempt to compromise security. Please
-ensure that you can contact the server that authenticated you.
-</pre><p>
-</p><p>
-<span class="emphasis"><em>The event logs on the box I'm trying to connect to have entries regarding group
-policy not being applied because it is a member of a down-level domain.</em></span>
-</p><p>If there is a computer account in the Windows
-200x domain for the machine in question, and it is disabled, this problem can
-occur. If there is no computer account (removed or never existed), or if that
-account is still intact (i.e., you just joined it to another domain), everything
-seems to be fine. By default, when you unjoin a domain (the Windows 200x
-domain), the computer tries to automatically disable the computer account in
-the domain. If you are running as an account that has privileges to do this
-when you unjoin the machine, it is done; otherwise it is not done.
-</p></div><div class="sect2" title="Problems with LDAP ldapsam and Older Versions of smbldap-tools"><div class="titlepage"><div><div><h3 class="title"><a name="id388228"></a>Problems with LDAP ldapsam and Older Versions of smbldap-tools</h3></div></div></div><p>
-If you use the <code class="literal">smbldap-useradd</code> script to create a trust
-account to set up interdomain trusts, the process of setting up the trust will
-fail. The account that was created in the LDAP database will have an account
-flags field that has <code class="literal">[W ]</code>, when it must have
-<code class="literal">[I ]</code> for interdomain trusts to work.
-</p><p>Here is a simple solution.
-Create a machine account as follows:
-</p><pre class="screen">
-<code class="prompt">root# </code> smbldap-useradd -w domain_name
-</pre><p>
-Then set the desired trust account password as shown here:
-</p><pre class="screen">
-<code class="prompt">root# </code> smbldap-passwd domain_name\$
-</pre><p>
-Using a text editor, create the following file:
-</p><pre class="screen">
-dn: uid=domain_name$,ou=People,dc={your-domain},dc={your-top-level-domain}
-changetype: modify
-sambaAcctFlags: [I ]
-</pre><p>
-Then apply the text file to the LDAP database as follows:
-</p><pre class="screen">
-<code class="prompt">root# </code> ldapmodify -x -h localhost \
- -D "cn=Manager,dc={your-domain},dc={your-top-level-domain}" \
- -W -f /path-to/foobar
-</pre><p>
-Create a single-sided trust under the NT4 Domain User Manager, then execute:
-</p><pre class="screen">
-<code class="prompt">root# </code> net rpc trustdom establish domain_name
-</pre><p>
-</p><p>
-It works with Samba-3 and NT4 domains, and also with Samba-3 and Windows 200x ADS in mixed mode.
-Both domain controllers, Samba and NT must have the same WINS server; otherwise,
-the trust will never work.
-</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="securing-samba.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="msdfs.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 18. Securing Samba </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 20. Hosting a Microsoft Distributed File System Tree</td></tr></table></div></body></html>
git.samba.org / abartlet / samba-debian.git / blobdiff