[PATCH] spnego SPN fix when contacting trusted domains

Steven Danneman steven.danneman at isilon.com
Mon May 12 23:50:42 GMT 2008

> 0001-Use-machine....
>   I think the change to secrets.c may break winbindd running
>   on a PDC.  The change to winbindd_cm.c is ok since we only
>   do krb5 logins on a domain member server anyways.


I've looked into this a little more today.  My initial impression is
that there are two situations where we need to acquire credentials to
access a trusted domain:

1) Samba is a PDC, and is using the trust account and password
established when the trust relationship was created.

2) Samba is a member server and is using its machine account and machine
password, first to kinit to its PDC, then to connect directly to the
trusted PDC.

I believe both of these cases are covered by patch 0001.  Is there
another scenario that I'm missing?


More information about the samba-technical mailing list