Samba 3.0 and AD trusted domains
Andrew Bartlett
abartlet at samba.org
Wed Aug 20 23:57:59 GMT 2003
On Wed, Aug 20, 2003 at 06:31:34PM -0400, Brad Cain wrote:
>
> Question about Samba 3.0 AD and trusted domains...
>
> In ldap.c, ads_connect, I noticed this after having troubling with
> winbind connecting to trusted domains:
>
> #if KRB5_DNS_HACK
> /* this is a really nasty hack to avoid ADS DNS problems. It
> needs a patch
> to MIT kerberos to work (tridge) */
> {
> char *env;
> asprintf(&env, "KRB5_KDC_ADDRESS_%s",
> ads->config.realm);
> setenv(env, ads->auth.kdc_server, 1);
> free(env);
> }
> #endif
>
>
> Am I right to assume that without this samba hack (and the matching krb5
> lib hack) that the krb libraries cannot get the krb server for a
> *trusted* domain/realm?
>
> If I don't use this then winbind returns krb5 lib errors about not
> finding the kdc for a dynamically discovered (trusted) realm.
>
>
> Although it's a hack, shouldn't this really be more mainline... Not
> supporting AD trusted domains seems like a big hole... Or am I missing
> another way to make this work (aside from manually configuring all of my
> trusted realms by hand in my krb5.conf)
>
> [note: another (probably worse hack :) would be to have winbind stuff
> the realm/kdc pairs in krb5.conf -- the advantage being that dynamically
> discovered trusted domains can now be used by other software (e.g.
> pam_krb5)]
I actually think this could be a good idea...
Andrew Bartlett
More information about the samba-technical
mailing list