Samba 3.0 and AD trusted domains

Gerald (Jerry) Carter jerry at
Fri Aug 22 15:03:11 GMT 2003

Hash: SHA1

On Wed, 20 Aug 2003, Brad Cain wrote:

> Am I right to assume that without this samba hack (and the matching krb5
> lib hack) that the krb libraries cannot get the krb server for a
> *trusted* domain/realm? 
> If I don't use this then winbind returns krb5 lib errors about not
> finding the kdc for a dynamically discovered (trusted) realm. 
> Although it's a hack, shouldn't this really be more mainline... Not
> supporting AD trusted domains seems like a big hole...   Or am I missing
> another way to make this work (aside from manually configuring all of my
> trusted realms by hand in my krb5.conf)

Rumour has it that you can rebuild the MIT libraries to use SRV 
records to locate KDC's although I've not tracked down the exact details.

> [note: another (probably worse hack :) would be to have winbind stuff
> the realm/kdc pairs in krb5.conf -- the advantage being that dynamically
> discovered trusted domains can now be used by other software (e.g.
> pam_krb5)]

I really hate this idea.  Sorry, but we shouldn't be poking abour in 
krb5.conf since we don't own it.

cheers, jerry
 Hewlett-Packard            -------------------------
 SAMBA Team                 ----------------------
 GnuPG Key                  ----
 "You can never go home again, Oatman, but I guess you can shop there."  
                            --John Cusack - "Grosse Point Blank" (1997)

Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see


More information about the samba-technical mailing list