15.3 Native MS Windows NT4 Trusts Configuration

There are two steps to creating an interdomain trust relationship. To effect a two-way trust relationship, it is necessary for each domain administrator to create a trust account for the other domain to use in verifying security credentials.

15.3.1 Creating an NT4 Domain Trust

For MS Windows NT4, all domain trust relationships are configured using the Domain User Manager. This is done from the Domain User Manager Policies entry on the menu bar. From the Policy menu, select Trust Relationships . Next to the lower box labeled Permitted to Trust this Domain are two buttons , Add and Remove . The Add button will open a panel in which to enter the name of the remote domain that will be able to assign access rights to users in your domain. You will also need to enter a password for this trust relationship, which the trusting domain will use when authenticating users from the trusted domain. The password needs to be typed twice (for standard confirmation).

15.3.2 Completing an NT4 Domain Trust

A trust relationship will work only when the other (trusting) domain makes the appropriate connections with the trusted domain. To consummate the trust relationship, the administrator will launch the Domain User Manager from the menu select Policies , then select Trust Relationships , click on the Add button next to the box that is labeled Trusted Domains .

A panel will open in which must be entered the name of the remote domain as well as the password assigned to that trust.

15.3.3 Inter-Domain Trust Facilities

A two-way trust relationship is created when two one-way trusts are created, one in each direction. Where a one-way trust has been established between two MS Windows NT4 domains (let's call them DomA and DomB), the following facilities are created:

Figure 15.1. Trusts overview.


  • DomA (completes the trust connection) Trusts DomB.

  • DomA is the Trusting domain.

  • DomB is the Trusted domain (originates the trust account).

  • Users in DomB can access resources in DomA.

  • Users in DomA cannot access resources in DomB.

  • Global groups from DomB can be used in DomA.

  • Global groups from DomA cannot be used in DomB.

  • DomB does appear in the logon dialog box on client workstations in DomA.

  • DomA does not appear in the logon dialog box on client workstations in DomB.

  • Users/Groups in a trusting domain cannot be granted rights, permissions or access to a trusted domain.

  • The trusting domain can access and use accounts (Users/Global Groups) in the trusted domain.

  • Administrators of the trusted domain can be granted admininstrative rights in the trusting domain.

  • Users in a trusted domain can be given rights and privileges in the trusting domain.

  • Trusted domain Global Groups can be given rights and permissions in the trusting domain.

  • Global Groups from the trusted domain can be made members in Local Groups on MS Windows Domain Member machines.

Official Samba-3 HOWTO and Reference Guide
The Official Samba-3 HOWTO and Reference Guide, 2nd Edition
ISBN: 0131882228
EAN: 2147483647
Year: 2005
Pages: 297

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net