9.6. Domain Trusts
Samba 3.0 was the first version to support Windows NT 4.0 style one-way trusts, which can be used to connect Samba domains to both NT and Active Directory domains. Initiating a trust relationship is very similar to the process of joining a domain described earlier in this chapter. The trusted domain creates a domain trust account that has a purpose analogous to a machine trust account. The trusting domain then establishes the relationship by joining the trust. We'll next walk you through an example of configuring a Samba domain to trust an AD domain.
First, you must have a fully configured Samba domain. Samba restricts the right to create domain trusts to members of the Domain Admins group, so it is necessary to configure an appropriate group mapping entry for this if you have not already done so. You also must either create the necessary Unix user account for the domain trust using the name of the trusting domain followed by a $ character (e.g., books$), or configure a working add machine script in smb.conf.
Use the net rpc trustdom command to create the domain trust account on the Samba PDC. The add subcommand accepts the name of the domain (BOOKS) followed by the new trust account password (sambapw):
$ net rpc trustdom add BOOKS sambapw -S stork -U cindy Password: <enter cindy's password>
If all goes well, you are returned immediately to a shell prompt. You can verify that the account was created using pdbedit. The I account flag is used to mark this as a domain trust account. (Note that the following output has been wrapped for better readability.)
# pdbedit -L -w books$ BOOKS$:10018:A01531C54AE6F75CAAD3B435B51404EE: 45F9E3989DD87751210C054A9B3A134E:[I ]:LCT-44DA55A9:
Now establish the trust account from the Windows domain controller. Figure 9-12 shows the books.plainjoe.org domain properties, as displayed by the Windows 2000 Active Directory Domains and Trusts MMC plug-in. The top section of this dialog is used to connect to a trusted domain. There are no existing domain trust relationships in the screenshot.
Figure 9-12. Trust relationships for the books.plainjoe.org AD domain
Now select Add from the top section and enter the name of the Samba domain (ORA) along with the password specified in the net rpc trustdom add command. You should be greeted with a dialog box similar to the one in Figure 9-13, indicating that the trust has been established and verified.
Figure 9-13. Confirming a successfully established trust between Samba and AD
You can use smbclient to test the trust relationship by connecting to a share on any member server in the BOOKS domain as a user from the ORA domain:
$ smbclient //windc/public -U cindy -W ORA Password: <enter cindy's password> Domain=[BOOKS] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] smb: \>
Next, it is time to create the trust relationship in the other direction. This time, create the trust account on the Windows DC using the lower half of the Trusts dialog box shown in Figure 9-12.
You will initially receive a message that Windows cannot verify the trust. This is because you have not established the trust on the Samba DC yet. To do so, run the net rpc trustdom establish command, giving the trusted domain name as the sole parameter. This must be done as root so that the net tool can write the new password to secrets.tdb.
# net rpc trustdom establish BOOKS Password: <enter trust password here> Trust to domain BOOKS established
You should now be able to return to the Windows DC and verify the trust.
You can view the list of current trusts using the net rpc trustdom list command. This command does not display any information about the status of the trust, only that Samba has a trust account entry or password for the listed domain.
# net rpc trustdom list -U cindy Password: <enter cindy's password> Trusted domains list: BOOKS S-1-5-21-4200961138-2496335650-1239021823 Trusting domains list: BOOKS S-1-5-21-4200961138-2496335650-1239021823
In order to connect to the Samba server using an account from the BOOKS domain, the server requires some method to deal with users and groups from the trusted domain. The best way to do this is with Winbind. Conceptually, these trusted users and groups on a Samba PDC are no different from domain users and groups on a Samba member server. To set up Winbind on a Samba DC, follow the same steps you would for a Samba member server (described in Chapter 10) with the exception of maintaining the security = user setting instead of one of the domain mode security settings. On a DC, Winbind allocates uids and gids only for accounts outside of its own domain.
Table 9-5 completes our discussion of domain trusts with an overview of the net rpc trustdom commands.