mirror of
https://github.com/samba-team/samba.git
synced 2025-01-20 14:03:59 +03:00
5a4a8305cc
(This used to be commit 58ed149471289c71f6e562495aef7b4e6ace0ad2)
294 lines
12 KiB
XML
294 lines
12 KiB
XML
<chapter id="InterdomainTrusts">
|
|
<chapterinfo>
|
|
&author.jht;
|
|
&author.mimir;
|
|
<pubdate>April 3, 2003</pubdate>
|
|
</chapterinfo>
|
|
|
|
<title>Interdomain Trust Relationships</title>
|
|
|
|
<para>
|
|
Samba-3 supports NT4 style domain trust relationships. This is feature that many sites
|
|
will want to use if they migrate to Samba-3 from and NT4 style domain and do NOT want to
|
|
adopt Active Directory or an LDAP based authentication back end. This section explains
|
|
some background information regarding trust relationships and how to create them. It is now
|
|
possible for Samba-3 to NT4 trust (and vice versa), as well as Samba3 to Samba3 trusts.
|
|
</para>
|
|
|
|
<sect1>
|
|
<title>Features and Benefits</title>
|
|
|
|
<para>
|
|
Samba-3 can participate in Samba-to-Samba as well as in Samba-to-MS Windows NT4 style
|
|
trust relationships. This imparts to Samba similar scalability as is possible with
|
|
MS Windows NT4.
|
|
</para>
|
|
|
|
<para>
|
|
Given that Samba-3 has the capability to function with a scalable backend authentication
|
|
database such as LDAP, and given it's ability to run in Primary as well as Backup Domain control
|
|
modes, the administrator would be well advised to consider alternatives to the use of
|
|
Interdomain trusts simplt because by the very nature of how this works it is fragile.
|
|
That was after all a key reason for the development and adoption of Microsoft Active Directory.
|
|
</para>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Trust Relationship Background</title>
|
|
|
|
<para>
|
|
MS Windows NT3.x/4.0 type security domains employ a non-hierarchical security structure.
|
|
The limitations of this architecture as it affects the scalability of MS Windows networking
|
|
in large organisations is well known. Additionally, the flat-name space that results from
|
|
this design significantly impacts the delegation of administrative responsibilities in
|
|
large and diverse organisations.
|
|
</para>
|
|
|
|
<para>
|
|
Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means
|
|
of circumventing the limitations of the older technologies. Not every organisation is ready
|
|
or willing to embrace ADS. For small companies the older NT4 style domain security paradigm
|
|
is quite adequate, there thus remains an entrenched user base for whom there is no direct
|
|
desire to go through a disruptive change to adopt ADS.
|
|
</para>
|
|
|
|
<para>
|
|
Microsoft introduced with MS Windows NT the ability to allow differing security domains
|
|
to affect a mechanism so that users from one domain may be given access rights and privileges
|
|
in another domain. The language that describes this capability is couched in terms of
|
|
<emphasis>Trusts</emphasis>. Specifically, one domain will <emphasis>trust</emphasis> the users
|
|
from another domain. The domain from which users are available to another security domain is
|
|
said to be a trusted domain. The domain in which those users have assigned rights and privileges
|
|
is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only,
|
|
thus if users in both domains are to have privileges and rights in each others' domain, then it is
|
|
necessary to establish two (2) relationships, one in each direction.
|
|
</para>
|
|
|
|
<para>
|
|
In an NT4 style MS security domain, all trusts are non-transitive. This means that if there
|
|
are three (3) domains (let's call them RED, WHITE, and BLUE) where RED and WHITE have a trust
|
|
relationship, and WHITE and BLUE have a trust relationship, then it holds that there is no
|
|
implied trust between the RED and BLUE domains. ie: Relationships are explicit and not
|
|
transitive.
|
|
</para>
|
|
|
|
<para>
|
|
New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way
|
|
by default. Also, all inter-ADS domain trusts are transitive. In the case of the RED, WHITE and BLUE
|
|
domains above, with Windows 2000 and ADS the RED and BLUE domains CAN trust each other. This is
|
|
an inherent feature of ADS domains. Samba-3 implements MS Windows NT4
|
|
style Interdomain trusts and interoperates with MS Windows 200x ADS
|
|
security domains in similar manner to MS Windows NT4 style domains.
|
|
</para>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Native MS Windows NT4 Trusts Configuration</title>
|
|
|
|
<para>
|
|
There are two steps to creating an interdomain trust relationship.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>NT4 as the Trusting Domain (ie. creating the trusted account)</title>
|
|
|
|
<para>
|
|
For MS Windows NT4, all domain trust relationships are configured using the
|
|
<application>Domain User Manager</application>. To affect a two way trust relationship it is
|
|
necessary for each domain administrator to make available (for use by an external domain) it's
|
|
security resources. This is done from the Domain User Manager Policies entry on the menu bar.
|
|
From the <guimenu>Policy</guimenu> menu, select <guimenuitem>Trust Relationships</guimenuitem>, then
|
|
next to the lower box that is labelled <guilabel>Permitted to Trust this Domain</guilabel> are two
|
|
buttons, <guibutton>Add</guibutton> and <guibutton>Remove</guibutton>. The <guibutton>Add</guibutton>
|
|
button will open a panel in which needs to be entered the remote domain that will be able to assign
|
|
user rights to your domain. In addition it is necessary to enter a password
|
|
that is specific to this trust relationship. The password needs to be
|
|
typed twice (for standard confirmation).
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>NT4 as the Trusted Domain (ie. creating trusted account's password)</title>
|
|
|
|
<para>
|
|
A trust relationship will work only when the other (trusting) domain makes the appropriate connections
|
|
with the trusted domain. To consumate the trust relationship the administrator will launch the
|
|
Domain User Manager, from the menu select Policies, then select Trust Relationships, then click on the
|
|
<guibutton>Add</guibutton> button that is next to the box that is labelled
|
|
<guilabel>Trusted Domains</guilabel>. A panel will open in which must be entered the name of the remote
|
|
domain as well as the password assigned to that trust.
|
|
</para>
|
|
|
|
</sect2>
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Configuring Samba NT-style Domain Trusts</title>
|
|
|
|
<para>
|
|
This description is meant to be a fairly short introduction about how to set up a Samba server so
|
|
that it could participate in interdomain trust relationships. Trust relationship support in Samba
|
|
is in its early stage, so lot of things don't work yet.
|
|
</para>
|
|
|
|
<para>
|
|
Each of the procedures described below is treated as they were performed with Windows NT4 Server on
|
|
one end. The remote end could just as well be another Samba-3 domain. It can be clearly seen, after
|
|
reading this document, that combining Samba-specific parts of what's written below leads to trust
|
|
between domains in purely Samba environment.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Samba-3 as the Trusting Domain</title>
|
|
|
|
<para>
|
|
In order to set the Samba PDC to be the trusted party of the relationship first you need
|
|
to create special account for the domain that will be the trusting party. To do that,
|
|
you can use the 'smbpasswd' utility. Creating the trusted domain account is very
|
|
similiar to creating a trusted machine account. Suppose, your domain is
|
|
called SAMBA, and the remote domain is called RUMBA. The first step
|
|
will be to issue this command from your favourite shell:
|
|
</para>
|
|
|
|
<para>
|
|
<screen>
|
|
&rootprompt; <userinput>smbpasswd -a -i rumba</userinput>
|
|
New SMB password: XXXXXXXX
|
|
Retype SMB password: XXXXXXXX
|
|
Added user rumba$
|
|
</screen>
|
|
|
|
where <option>-a</option> means to add a new account into the
|
|
passdb database and <option>-i</option> means: ''create this
|
|
account with the InterDomain trust flag''
|
|
</para>
|
|
|
|
<para>
|
|
The account name will be 'rumba$' (the name of the remote domain)
|
|
</para>
|
|
|
|
<para>
|
|
After issuing this command you'll be asked to enter the password for
|
|
the account. You can use any password you want, but be aware that Windows NT will
|
|
not change this password until 7 days following account creation.
|
|
After the command returns successfully, you can look at the entry for the new account
|
|
(in the stardard way depending on your configuration) and see that account's name is
|
|
really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm
|
|
the trust by establishing it from Windows NT Server.
|
|
</para>
|
|
|
|
<para>
|
|
Open <application>User Manager for Domains</application> and from menu
|
|
<guimenu>Policies</guimenu> select <guimenuitem>Trust Relationships...</guimenuitem>.
|
|
Right beside <guilabel>Trusted domains</guilabel> list box press the
|
|
<guimenu>Add...</guimenu> button. You will be prompted for
|
|
the trusted domain name and the relationship password. Type in SAMBA, as this is
|
|
your domain name, and the password used at the time of account creation.
|
|
Press OK and, if everything went without incident, you will see
|
|
<computeroutput>Trusted domain relationship successfully
|
|
established</computeroutput> message.
|
|
</para>
|
|
|
|
</sect2>
|
|
<sect2>
|
|
<title>Samba-3 as the Trusted Domain</title>
|
|
|
|
<para>
|
|
This time activities are somewhat reversed. Again, we'll assume that your domain
|
|
controlled by the Samba PDC is called SAMBA and NT-controlled domain is called RUMBA.
|
|
</para>
|
|
|
|
<para>
|
|
The very first thing requirement is to add an account for the SAMBA domain on RUMBA's PDC.
|
|
</para>
|
|
|
|
<para>
|
|
Launch the <application>Domain User Manager</application>, then from the menu select
|
|
<guimenu>Policies</guimenu>, <guimenuitem>Trust Relationships</guimenuitem>.
|
|
Now, next to <guilabel>Trusted Domains</guilabel> box press the <guibutton>Add</guibutton>
|
|
button, and type in the name of the trusted domain (SAMBA) and password securing
|
|
the relationship.
|
|
</para>
|
|
|
|
<para>
|
|
The password can be arbitrarily chosen. It is easy to change the password
|
|
from the Samba server whenever you want. After confirming the password your account is
|
|
ready for use. Now it's Samba's turn.
|
|
</para>
|
|
|
|
<para>
|
|
Using your favourite shell while being logged in as root, issue this command:
|
|
</para>
|
|
|
|
<para>
|
|
&rootprompt;<userinput>net rpc trustdom establish rumba</userinput>
|
|
</para>
|
|
|
|
<para>
|
|
You will be prompted for the password you just typed on your Windows NT4 Server box.
|
|
Do not worry if you see an error message that mentions a returned code of
|
|
<errorname>NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT</errorname>. It means the
|
|
password you gave is correct and the NT4 Server says the account is
|
|
ready for interdomain connection and not for ordinary
|
|
connection. After that, be patient it can take a while (especially
|
|
in large networks), you should see the <computeroutput>Success</computeroutput> message.
|
|
Congratulations! Your trust relationship has just been established.
|
|
</para>
|
|
|
|
<note><para>
|
|
Note that you have to run this command as root because you must have write access to
|
|
the <filename>secrets.tdb</filename> file.
|
|
</para></note>
|
|
|
|
</sect2>
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Common Errors</title>
|
|
|
|
<para>
|
|
Interdomain trust relationships should NOT be attempted on networks that are unstable
|
|
or that suffer regular outages. Network stability and integrity are key concerns with
|
|
distributed trusted domains.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Tell me about Trust Relationships using Samba</title>
|
|
|
|
<para>
|
|
Like many, I administer multiple LANs connected together using NT trust
|
|
relationships. This was implemented about 4 years ago. I now have the
|
|
occasion to consider performing this same task again, but this time, I
|
|
would like to implement it solely through samba - no Microsoft PDCs
|
|
anywhere.
|
|
</para>
|
|
|
|
<para>
|
|
I have read documentation on samba.org regarding NT-style trust
|
|
relationships and am now wondering, can I do what I want to? I already
|
|
have successfully implemented 2 samba servers, but they are not PDCs.
|
|
They merely act as file servers. I seem to remember, and it appears to
|
|
be true (according to samba.org) that trust relationships are a
|
|
challenge.
|
|
</para>
|
|
|
|
<para>
|
|
Please provide any helpful feedback that you may have.
|
|
</para>
|
|
|
|
<para>
|
|
These are almost complete in Samba 3.0 snapshots. The main catch
|
|
is getting winbindd to be able to allocate uid/gid's for trusted
|
|
users/groups. See the updated Samba HOWTO collection for more
|
|
details.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
</chapter>
|