Trust Relationship Background
MS Windows NT3/4-type security domains employ a nonhierarchical security structure.
The limitations of this architecture as it effects the scalability of MS Windows networking
in large organizations is well known. Additionally, the flat namespace that results from
this design significantly impacts the delegation of administrative responsibilities in
large and diverse organizations.
Microsoft developed Active Directory Service (ADS), based on Kerberos and LDAP, as a means
of circumventing the limitations of the older technologies. Not every organization is ready
or willing to embrace ADS. For small companies the older NT4-style domain security paradigm
is quite adequate, and so there remains an entrenched user base for whom there is no direct
desire to go through a disruptive change to adopt ADS.
With Windows NT, Microsoft introduced the ability to allow different security domains
to effect a mechanism so users from one domain may be given access rights and privileges
in another domain. The language that describes this capability is couched in terms of
. Specifically, one domain will
from another domain. The domain from which users can access another security domain is
said to be a trusted domain. The domain in which those users have assigned rights and privileges
is the trusting domain. With NT3.x/4.0 all trust relationships are always in one direction only,
so if users in both domains are to have privileges and rights in each others' domain, then it is
necessary to establish two relationships, one in each direction.
Further, in an NT4-style MS security domain, all trusts are nontransitive. This means that if there are three
domains (let's call them red, white, and blue), where red and white have a trust relationship, and white and
blue have a trust relationship, then it holds that there is no implied trust between the red and blue domains.
Relationships are explicit and not transitive.
New to MS Windows 2000 ADS security contexts is the fact that trust relationships are two-way by default.
Also, all inter-ADS domain trusts are transitive. In the case of the red, white, and blue domains, with
Windows 2000 and ADS, the red and blue domains can trust each other. This is an inherent feature of ADS
domains. Samba-3 implements MS Windows NT4-style interdomain trusts and interoperates with MS Windows 200x ADS
security domains in similar manner to MS Windows NT4-style domains.