Samba4 Domain Trusts -- Outlook?

Andrew Bartlett abartlet at
Sun Oct 16 19:31:34 MDT 2011

On Sun, 2011-10-16 at 20:14 -0400, Charles Tryon wrote:
> I've seen it mentioned here that Samba4 does NOT (YET) support setting up
> domain trusts with other AD domains, but that this is something that is very
> high on the list of things to work on.
> Is there any kind of outlook on when this functionality might find it's way
> into Samba4?  I'm asking because I'm trying to convince my boss to let us
> set up Samba4 to support our domain here, but her concern is that, as a
> larger organization, we're going to have to be able to establish trust
> relationships with other AD servers already in the organization.  (Our
> centrally managed Exchange server is a big one!)  I'm looking for what I can
> honestly tell her about whether or not that capability will be supported
> "some time soon."  (I'm not afraid of going out on a limb, but I'd at least
> like to know how far out I can go...)

We are actively working on inter-domain trusts, where Samba is part of
an existing forest.  We have this working for DRS replication (as a
demonstration), and for kerberos, but we do not yet allow NTLM logins to
traverse the trust, and we support for anything other than parent-child
domains is weak. 

Inter-forest trusts are a different thing, and should be simpler, but we
have only implemented this to the extent that it falls out of the single
forest example. 

The interesting case of promoting a Samba3 domain into an existing
forest has not yet been contemplated, but we have the parts that could
be used to build such a beast, if the need were there.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list