Samba 3.0 and AD trusted domains

[Brad Cain]

Question about Samba 3.0 AD and trusted domains...

In ldap.c, ads_connect, I noticed this after having troubling with
winbind connecting to trusted domains:

#if KRB5_DNS_HACK
        /* this is a really nasty hack to avoid ADS DNS problems. It
needs a patch
           to MIT kerberos to work (tridge) */
        {
                char *env;
                asprintf(&env, "KRB5_KDC_ADDRESS_%s",
ads->config.realm);
                setenv(env, ads->auth.kdc_server, 1);
                free(env);
        }
#endif


Am I right to assume that without this samba hack (and the matching krb5
lib hack) that the krb libraries cannot get the krb server for a
*trusted* domain/realm?  

If I don't use this then winbind returns krb5 lib errors about not
finding the kdc for a dynamically discovered (trusted) realm.


Although it's a hack, shouldn't this really be more mainline... Not
supporting AD trusted domains seems like a big hole...   Or am I missing
another way to make this work (aside from manually configuring all of my
trusted realms by hand in my krb5.conf)

[note: another (probably worse hack :) would be to have winbind stuff
the realm/kdc pairs in krb5.conf -- the advantage being that dynamically
discovered trusted domains can now be used by other software (e.g.
pam_krb5)]


Thanks
-brad