Trust Relationships
Trust relationships enable pass-through authentication to users of one domain in another. A trusting domain permits logon authentication to users of a trusted domain. There are various forms of trusts, depending on the domain type and Windows 2000/2003 Domain trusts differ from NT Domain trusts. For more information on trusts, consult the MS TechNet papers at http://technet.microsoft.com. For information on HP CIFS Server trust relationships with NT Domains, see Chapter 4 "NT Style Domains".
Windows 2000/2003 Domain trusts can take many forms. HP CIFS Server can support some but not all Windows 2000/2003 trusts as described below:
* HP CIFS PDCs can support external trusts which include trust relationships established between CIFS Samba Domains and Windows 2000/2003, including incoming, outgoing, and two-way trusts.
* HP CIFS Member Servers do not support all Windows 2000/2003 Domain intra/inter-forest trusts. Most parent-child and child-child trusts are recognized appropriately and shortcut trusts are supported.
Shortcut trusts can be established explicitly between Windows 2000/2003 domains to ensure HP CIFS Servers recognized forest configurations where necessary.
Transitive trusts, in which domain A trusts domain B which trusts domain C thereby domain A trusts domain C, are not respected by HP CIFS Servers.
Establishing External Trust Relationships between HP CIFS PDCs and Windows 2000/2003 Domains
To configure the Windows domain controller for the trust relationship with the Samba domain PDC, perform one of the following procedures as appropriate for the server in your domain.
For an Windows 2000 domain controller, use the Administrative Tools utility to perform the following steps:
1. From the Start menu, select Programs -> Administrative Tools -> Active Directory Domains and Trusts
2. Right click on the desired Windows domain name, and select Properties
3. Select the tab Trusts
4. Perform one of the following actions as desired:
* To add Windows 2000 as a trusting domain, click the Add button next to the box titled "Domains trusted by this domain". For "Trusted Domain", enter the Samba PDC domain name. The Samba domain name is the domain name specified in the "workgroup" parameter of smb.conf. Enter and confirm the trust password and select OK.
* To add Windows 2000 as a trusted domain, click the Add button next to the box titled "Domains that trust this domain". For "Trusting Domain", enter the Samba PDC domain name. Enter and confirm the trust password and select OK.
5. When prompted, review the confirmation and select Yes.
6. Enter the administrator name and password.
7. Select Finish, and then OK.
For an Windows 2003 domain controller, use the Administrative Tools utility to perform the following steps:
1. From the Start menu, select Programs -> Administrative Tools -> Active Directory Domains and Trusts.
2. Right click on the desired Active Directory domain name and select Properties.
3. Select the tab Trusts, then click New Trusts. Click Next.
4. Specify the Samba PDC domain name and select Next. The Samba domain name is the domain name specified in the "workgroup" parameter in smb.conf.
5. Select your choice of trust type, One-way: incoming, One-way: outgoing, or Two-way and select Next.
6. Enter and confirm the trust password.
7. Review and select Next.
8. Select Yes and select Next, two more times.
9. Select Finish and then OK.
NOTE: Windows Server 2003 Service Pack 1 (SP1) may require the RestrictAnonymous registry subkey to be set to 0 and the value of the RestrictNullSessAccess registry subkey also to be set to 0. Run regedit from the start button and find RestrictNullSessAccess under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ LanmanServer\Parameters. For more details, refer to "trusts RestrictNullSessAccess" on the Microsoft TechNet at http://technet.microsoft.com.
To create the corresponding configuration of the Samba domain PDC for two way trust relationship with the Windows domain, logon as root and execute the following steps:
1. Run the following command to start the winbind daemon:
startsmb -winbind
2. Add a trust account for the trusting Windows domain to /etc/passwd. Add the trusting domain name with the "$" using the useradd command.
For example, the following command adds a trust account for the trusting Windows domain name, windomainA, to /etc/passwd:
useradd windomainA$
Due to the maximum name length of 8 for the useradd command, you may need to edit /etc/passwd to add the trusting Windows domain name account.
3. Run smbpasswd to add a trusting Windows domain Samba account to your trusted Samba domain database and create a password for the trusting account. Use the same trusting Windows domain name specified in step 1. This password is used by the trusting Windows domain when it establishes the trust relationship.
For example, the following command adds the trusting Windows domain account, windomainA, to the Samba domain database:
smbpasswd -a -i windomainA$
4. Run net rpc trustdom to establish the trust with the trusted Windows domain.
For example, the following command is used to establish the trust relationship with the trusted windows domain name, windomainA:
net rpc trustdom establish windomainA
-S
5. Use the following command to verify the trust relationship:
net rpc trustdom list -U root/%pw
Establishing a Trust Relationship on an HP CIFS Member Server of a Windows 2000/2003 Domain
HP CIFS Servers will not automatically recognize all intra/inter-forest trusts. CIFS member servers will recognize most parent-child and child-child relationships and shortcut trusts but you may need to use Windows Administrators Tool "Active Directory Domains and Trusts" to establish explicit shortcut trusts where other trusts are desired. No HP CIFS Server configuration is required.
“