Tree-Root Transitive Trusts and winbindd

Steven Danneman steven.danneman at
Wed Aug 19 17:20:32 MDT 2009

Hi Dave,

Thanks for the helpful info.  In my setup the [capaths] configuration
works like a charm, even on MIT 1.4.1.

It is a manual configuration, but a better workaround than creating
explicit "shortcut" trusts between Domain B and Doman C as I was doing.


> -----Original Message-----
> From: Dave Daugherty [mailto:dave.daugherty at]
> Sent: Wednesday, August 19, 2009 10:51 AM
> To: Steven Danneman; samba-technical at
> Subject: RE: Tree-Root Transitive Trusts and winbindd
> Steven,
> For MIT Kerberos I have used the krb5.conf directive [capaths] to
> overcome issues with multiple roots in the same forest.  The downside
> that it is a manual configuration process.
> tml
> Dave Daugherty
> -----Original Message-----
> From: samba-technical-bounces at
> [mailto:samba-technical-bounces at] On Behalf Of Steven
> Danneman
> Sent: Wednesday, August 19, 2009 10:43 AM
> To: samba-technical at
> Subject: Tree-Root Transitive Trusts and winbindd
> Hello All,
> I've been doing a lot of investigation into how transitive tree-root
> trusts are handled by winbindd and I wanted to share my findings.
> A transitive tree-root trust is formed in the following scenario:
> Domain A - is a Forest Root domain
> Domain B - is a Tree Root domain in the same forest as Domain A
> Domain C - is a Tree Root domain in the same forest as Domain A
> Server - is a Samba file server joined to Domain B
> Client - is a Windows desktop client joined to Domain B
> In this scenario Domain A and Domain B have an explicit Tree-Root
> relationship between them.  The same explicit trust relationship
> between Domain A and Domain C.  An implicit transitive tree-root
> exists between Domain B and Domain C.
> The problem that started me on this investigation, was attempting to
> "net use" to the Server joined to Domain B from Client with
> of a user in Domain C.  This should work, due to the implicit trust
> between them.  However, in my setup it did not.
> I've tracked down the issue not to a bug in winbindd, but to the
> set of the underlying krb5 client libraries.  In order for the Server
> authenticate the user in Domain C, the Server must authenticate itself
> to Domain C to acquire user information via LDAP.  This is done
> a series of Kerberos referral tickets as described in the following
> article:
> This chasing of referrals is handled by the Kerberos client library,
> as I found not completely implemented in MIT libkrb5 until version
> All previous versions of MIT's libkrb5 don't handle this referral
> properly, and thus cause a logon error in the scenario above.
> I haven't done any testing with Heimdal, so I'm unsure of what the
> results there are.
> My conclusion is if you need to support authentication from transitive
> tree-root trusts, you must build winbindd with MIT libkrb5 version
> This is important as version is quite new and not yet included in many
> OS distributions.
> -Steven

More information about the samba-technical mailing list