Interdomain Trusts - Samba

This is a discussion on Interdomain Trusts - Samba ; When setting up interdomain trusts under Windows NT4 the name of the trust account was purely optional. In other words, in setting up a one-way trust from DomA to DomB, one could go into the NT4 Domain User Manager to ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Interdomain Trusts

  1. Interdomain Trusts

    When setting up interdomain trusts under Windows NT4 the name of the trust
    account was purely optional.

    In other words, in setting up a one-way trust from DomA to DomB, one could go
    into the NT4 Domain User Manager to set up a trust account called "GoodGuyA"
    and then on DomB complete the trust simply by specifying the name "GoodGuyA"
    and the password previously used on DomA.

    It appears that the "net rpc trustdom establish" command insists on using the
    actual domain name and not any arbitrary name for the trust relationship.
    Even use of the -W or -S command line arguments does not permit the use of
    valid alternative interdomain trust names.

    Is there a particular reason for enforcing this semantic on this tool? In
    other words, is there a protocol-specific factor that excludes the ability to
    do what NT4 allows? Could this have anything to do with AD interdomain
    trusts?

    This horrible question has emerged out of trying to help a site to resolve
    HIPA and SOX regulartory compliance issues. The current behavior of "net rpc
    trustdom establish" prevents them from using a solution that would fit within
    their current LDAP director framework while still meeting these aweful legal
    requirements.

    Does anyone have a comment or solution to offer - or just some insight to the
    issues? I will be revising the Interdomain trust documentation and the
    Winbindd documention in the HOWTO over the next few days and would like to
    close out a lot of grey-areas that have come to light from trying to help a
    couple of Samba admins.

    Thanks.

    - John T.


  2. Re: Interdomain Trusts

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    John H Terpstra wrote:

    > Is there a particular reason for enforcing this semantic on
    > this tool? In other words, is there a protocol-specific
    > factor that excludes the ability to do what NT4 allows? Could
    >this have anything to do with AD interdomain trusts?


    Becuase we grab the domain SID I believe. So the domain name needs to be
    valid and one we can contact.




    cheers, jerry
    - --
    ================================================== ===================
    Samba ------- http://www.samba.org
    Likewise Software --------- http://www.likewisesoftware.com
    "What man is a man who does not make the world better?" --Balian
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFIPX6OIR7qMdg1EfYRAhe2AKC82mOEOIbzpKQNEfE078 7IooWHgwCg5Q7l
    QabNu6gH2gO4yycmGMgkBcg=
    =jl0p
    -----END PGP SIGNATURE-----


+ Reply to Thread