FIxed [was Re: Authentication through transitive trusts]

Gerald (Jerry) Carter jerry at
Thu Jul 31 06:38:44 GMT 2003

Hash: SHA1

On Mon, 14 Jul 2003, Ken Cross wrote:

> Samba-folk:
> I'm having trouble authenticating through transitive trusts other than
> parent-child configurations.
> I have an Active Directory with SUPTRA at the top and 2 other AD servers,
> KAMA and CAMP, so KAMA and CAMP have an implicit transitive trust.
> 1. If Samba joins SUPTRA (the top), it can authenticate against any domain.
> 2. If Samba joins KAMA, it can authenticate against KAMA and/or SUPTRA, but
> not CAMP.  wbinfo -u shows users from all 3 servers, but wbinfo -m only
> shows SUPTRA.
> If I set up an explicit 2-way trust between KAMA and CAMP, everything
> authenticates OK.  That's not practical in larger enterprises, though.
> Is there some trick to using transitive trusts (SAMBA_3_0)?

I think I've fixed this in winbindd in the lates SAMBA_3_0 cvs code.  
Would you mind testing it an letting me know?   Only catch is the domain 
the Samba box is joined to has to be a native mode domain.  Doesn't
matter for the others.

We might still have problems with getting a wk/xp client to use 
kerberos to authenticate but that doesn't stopthe trusts from working.
I tested your exact scenario and several others and everything seemed
to work out ok.

cheers, jerry
 Hewlett-Packard            -------------------------
 SAMBA Team                 ----------------------
 GnuPG Key                  ----
 "You can never go home again, Oatman, but I guess you can shop there."  
                            --John Cusack - "Grosse Point Blank" (1997)

Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see


More information about the samba-technical mailing list