Samba 3.0 and AD trusted domains

Andrew Bartlett abartlet at
Wed Aug 20 23:57:59 GMT 2003

On Wed, Aug 20, 2003 at 06:31:34PM -0400, Brad Cain wrote:
> Question about Samba 3.0 AD and trusted domains...
> In ldap.c, ads_connect, I noticed this after having troubling with
> winbind connecting to trusted domains:
>         /* this is a really nasty hack to avoid ADS DNS problems. It
> needs a patch
>            to MIT kerberos to work (tridge) */
>         {
>                 char *env;
>                 asprintf(&env, "KRB5_KDC_ADDRESS_%s",
> ads->config.realm);
>                 setenv(env, ads->auth.kdc_server, 1);
>                 free(env);
>         }
> #endif
> Am I right to assume that without this samba hack (and the matching krb5
> lib hack) that the krb libraries cannot get the krb server for a
> *trusted* domain/realm?  
> If I don't use this then winbind returns krb5 lib errors about not
> finding the kdc for a dynamically discovered (trusted) realm.
> Although it's a hack, shouldn't this really be more mainline... Not
> supporting AD trusted domains seems like a big hole...   Or am I missing
> another way to make this work (aside from manually configuring all of my
> trusted realms by hand in my krb5.conf)
> [note: another (probably worse hack :) would be to have winbind stuff
> the realm/kdc pairs in krb5.conf -- the advantage being that dynamically
> discovered trusted domains can now be used by other software (e.g.
> pam_krb5)]

I actually think this could be a good idea... 

Andrew Bartlett

More information about the samba-technical mailing list