Samba4 Domain Trusts -- Outlook?
abartlet at samba.org
Sun Oct 16 19:31:34 MDT 2011
On Sun, 2011-10-16 at 20:14 -0400, Charles Tryon wrote:
> I've seen it mentioned here that Samba4 does NOT (YET) support setting up
> domain trusts with other AD domains, but that this is something that is very
> high on the list of things to work on.
> Is there any kind of outlook on when this functionality might find it's way
> into Samba4? I'm asking because I'm trying to convince my boss to let us
> set up Samba4 to support our domain here, but her concern is that, as a
> larger organization, we're going to have to be able to establish trust
> relationships with other AD servers already in the organization. (Our
> centrally managed Exchange server is a big one!) I'm looking for what I can
> honestly tell her about whether or not that capability will be supported
> "some time soon." (I'm not afraid of going out on a limb, but I'd at least
> like to know how far out I can go...)
We are actively working on inter-domain trusts, where Samba is part of
an existing forest. We have this working for DRS replication (as a
demonstration), and for kerberos, but we do not yet allow NTLM logins to
traverse the trust, and we support for anything other than parent-child
domains is weak.
Inter-forest trusts are a different thing, and should be simpler, but we
have only implemented this to the extent that it falls out of the single
The interesting case of promoting a Samba3 domain into an existing
forest has not yet been contemplated, but we have the parts that could
be used to build such a beast, if the need were there.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical