Tree-Root Transitive Trusts and winbindd

Dave Daugherty dave.daugherty at
Wed Aug 19 11:51:08 MDT 2009


For MIT Kerberos I have used the krb5.conf directive [capaths] to
overcome issues with multiple roots in the same forest.  The downside is
that it is a manual configuration process.

Dave Daugherty

-----Original Message-----
From: samba-technical-bounces at
[mailto:samba-technical-bounces at] On Behalf Of Steven
Sent: Wednesday, August 19, 2009 10:43 AM
To: samba-technical at
Subject: Tree-Root Transitive Trusts and winbindd

Hello All,

I've been doing a lot of investigation into how transitive tree-root
trusts are handled by winbindd and I wanted to share my findings.

A transitive tree-root trust is formed in the following scenario:

Domain A - is a Forest Root domain
Domain B - is a Tree Root domain in the same forest as Domain A
Domain C - is a Tree Root domain in the same forest as Domain A

Server - is a Samba file server joined to Domain B
Client - is a Windows desktop client joined to Domain B

In this scenario Domain A and Domain B have an explicit Tree-Root trust
relationship between them.  The same explicit trust relationship exists
between Domain A and Domain C.  An implicit transitive tree-root trusts
exists between Domain B and Domain C.

The problem that started me on this investigation, was attempting to
"net use" to the Server joined to Domain B from Client with credentials
of a user in Domain C.  This should work, due to the implicit trust
between them.  However, in my setup it did not.

I've tracked down the issue not to a bug in winbindd, but to the feature
set of the underlying krb5 client libraries.  In order for the Server to
authenticate the user in Domain C, the Server must authenticate itself
to Domain C to acquire user information via LDAP.  This is done through
a series of Kerberos referral tickets as described in the following

This chasing of referrals is handled by the Kerberos client library, but
as I found not completely implemented in MIT libkrb5 until version 1.7.
All previous versions of MIT's libkrb5 don't handle this referral chain
properly, and thus cause a logon error in the scenario above.

I haven't done any testing with Heimdal, so I'm unsure of what the
results there are.

My conclusion is if you need to support authentication from transitive
tree-root trusts, you must build winbindd with MIT libkrb5 version 1.7.
This is important as version is quite new and not yet included in many
OS distributions.


More information about the samba-technical mailing list