Samba 3.0 and AD trusted domains

Brad Cain Brad.Cain at
Wed Aug 20 22:31:34 GMT 2003

Question about Samba 3.0 AD and trusted domains...

In ldap.c, ads_connect, I noticed this after having troubling with
winbind connecting to trusted domains:

        /* this is a really nasty hack to avoid ADS DNS problems. It
needs a patch
           to MIT kerberos to work (tridge) */
                char *env;
                asprintf(&env, "KRB5_KDC_ADDRESS_%s",
                setenv(env, ads->auth.kdc_server, 1);

Am I right to assume that without this samba hack (and the matching krb5
lib hack) that the krb libraries cannot get the krb server for a
*trusted* domain/realm?  

If I don't use this then winbind returns krb5 lib errors about not
finding the kdc for a dynamically discovered (trusted) realm.

Although it's a hack, shouldn't this really be more mainline... Not
supporting AD trusted domains seems like a big hole...   Or am I missing
another way to make this work (aside from manually configuring all of my
trusted realms by hand in my krb5.conf)

[note: another (probably worse hack :) would be to have winbind stuff
the realm/kdc pairs in krb5.conf -- the advantage being that dynamically
discovered trusted domains can now be used by other software (e.g.


More information about the samba-technical mailing list