Trust status

Andrew Bartlett abartlet at
Wed Dec 3 21:29:13 GMT 2008

On Wed, 2008-12-03 at 22:13 +0100, Stefan (metze) Metzmacher wrote:
> >> what's the status of trust support in samba4?
> > 
> > Very poor.  This is my next task, once I get the extended DN work in. 
> > 
> >> Can NT4 trust us?
> > 
> > Probably. 
> > 
> >> Can we trust NT4?
> > 
> > No.
> > 
> >> Can an AD-Forest trust us using krb5?
> > 
> > We have some of the KDC parts done (as Heimdal has cross-realm already),
> > but in setting up the trust windows asks us to use a LSA Op that we
> > don't yet implement. 
> > 
> >> Can we trust an AD-Forest using krb5?
> > 
> > Similarly, this should be the next task. 
> > 
> >> Can an AD-Forest trust us using ntlmssp?
> Isn't this similar to the NT4 trusts us case?

Yes, but in order for it to build up the full details of what domains we
might trust, it makes LSA calls we don't yet support. 

> >> Can we trust an AD-Forest using ntlmssp?
> >
> > Both of these require more work with winbind and creating a 
> > map of the full transitive set of trusts.
> Can you describe how that should in theory work?
> I mean the logic of creating this map and what we need to do.

This kind of detail is the kind of thing I've been asking Microsoft to
produce.  Until they do so (and I understand they have decided to engage
writers to do that) we can and should ask some of the particular
questions via the WSPP process. 

> I'm just interested in one domain in each forest currently...

Indeed.  I would be very glad to get just something working at this

> >> Can Samba3 trust us? (With the extended dn fixes applied)
> > 
> > I hope to have this working soon. 
> Both as workstation and domain trust?

Well, my hope is that once the extended DN work is in, then the
workstation side might be done.  Then we can test over domain trusts and
see if we missed anything else.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list