Samba 3.0 and AD trusted domains
Brad Cain
Brad.Cain at storigen.com
Wed Aug 20 22:31:34 GMT 2003
Question about Samba 3.0 AD and trusted domains...
In ldap.c, ads_connect, I noticed this after having troubling with
winbind connecting to trusted domains:
#if KRB5_DNS_HACK
/* this is a really nasty hack to avoid ADS DNS problems. It
needs a patch
to MIT kerberos to work (tridge) */
{
char *env;
asprintf(&env, "KRB5_KDC_ADDRESS_%s",
ads->config.realm);
setenv(env, ads->auth.kdc_server, 1);
free(env);
}
#endif
Am I right to assume that without this samba hack (and the matching krb5
lib hack) that the krb libraries cannot get the krb server for a
*trusted* domain/realm?
If I don't use this then winbind returns krb5 lib errors about not
finding the kdc for a dynamically discovered (trusted) realm.
Although it's a hack, shouldn't this really be more mainline... Not
supporting AD trusted domains seems like a big hole... Or am I missing
another way to make this work (aside from manually configuring all of my
trusted realms by hand in my krb5.conf)
[note: another (probably worse hack :) would be to have winbind stuff
the realm/kdc pairs in krb5.conf -- the advantage being that dynamically
discovered trusted domains can now be used by other software (e.g.
pam_krb5)]
Thanks
-brad
More information about the samba-technical
mailing list