Trust status

Stefan (metze) Metzmacher metze at
Sun Dec 7 09:45:12 GMT 2008

Andrew Bartlett schrieb:
> On Thu, 2008-12-04 at 16:33 +0100, Stefan (metze) Metzmacher wrote:
>>>>>> Can Samba3 trust us? (With the extended dn fixes applied)
>>>>> I hope to have this working soon. 
>>>> Both as workstation and domain trust?
>>> Well, my hope is that once the extended DN work is in, then the
>>> workstation side might be done.  Then we can test over domain trusts and
>>> see if we missed anything else.
>> I managed to setup that a samba3 pdc trusts samba4 dc.
>> With todays commits and manually setting
>> userPrincipalName: VZ0S3DOM at of the VZ0S3DOM$
>> account.
>> I couldn't find a quick way to fix your kdc to automaticly find the keys
>> for the VZ0S3DOM at client principal.
> OK, I'll try to look at this next week.  It needs to notice that it's a
> trusted domain name and redirect into the trusted domain entries (which
> as you notice, has a different codepath). 

That would be great!

Btw: W2K3 trusts us just fine with krb5 and ntlmssp.

And we trust W2K3 with krb5. The problem with NTLMSSP
is that samba4's winbind has no special case for the domain controller
role. It always sends SamLogon requests to domain belonging to
service->primary_sid, which means we send the request to our own
netlogon service. We also always use our machine password credentials
for outgoing connections.

Maybe we could store the trust info to our primary domain
in member excatly as a trusted domain in dc mode. Then
winbind could just load all trusted domains with one code path
at startup.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url :

More information about the samba-technical mailing list