Samba 3.0 and AD trusted domains
Gerald (Jerry) Carter
jerry at samba.org
Fri Aug 22 15:03:11 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 20 Aug 2003, Brad Cain wrote:
> Am I right to assume that without this samba hack (and the matching krb5
> lib hack) that the krb libraries cannot get the krb server for a
> *trusted* domain/realm?
>
> If I don't use this then winbind returns krb5 lib errors about not
> finding the kdc for a dynamically discovered (trusted) realm.
>
> Although it's a hack, shouldn't this really be more mainline... Not
> supporting AD trusted domains seems like a big hole... Or am I missing
> another way to make this work (aside from manually configuring all of my
> trusted realms by hand in my krb5.conf)
Rumour has it that you can rebuild the MIT libraries to use SRV
records to locate KDC's although I've not tracked down the exact details.
> [note: another (probably worse hack :) would be to have winbind stuff
> the realm/kdc pairs in krb5.conf -- the advantage being that dynamically
> discovered trusted domains can now be used by other software (e.g.
> pam_krb5)]
I really hate this idea. Sorry, but we shouldn't be poking abour in
krb5.conf since we don't own it.
cheers, jerry
----------------------------------------------------------------------
Hewlett-Packard ------------------------- http://www.hp.com
SAMBA Team ---------------------- http://www.samba.org
GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc
"You can never go home again, Oatman, but I guess you can shop there."
--John Cusack - "Grosse Point Blank" (1997)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQE/RjCvIR7qMdg1EfYRAtFrAKCpL3FHFYhjJeQXq1Z446T/CsuVYgCg7SoJ
y0qcrza+15n4GOH7cN0H9ng=
=SYqt
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list