Does Samba4 support Cross forest trusts

Charles Tryon charles.tryon at
Wed Jun 13 14:05:29 MDT 2012

*Given all the previous caveats...* I have had some success setting up
trust relationships by simply using the Microsoft "Active Directory Domains
and Trusts" administrative tools.  It would be good to try this out in some
sort of test environment, since there's a high probability that it won't
really work as you expect, but it would be worth a try!  Whatever happens,
be sure to report back to the list what your results are, since there are
some people (like myself) who have been interested in this functionality.

On Wed, Jun 13, 2012 at 2:10 PM, Avinash Gupta <gavinashg at>wrote:

> Thanks Samba experts. Is there a documentation to setup cross forest trust
> (between two Samba forest domains).
> -----Original Message----- From: Andrew Bartlett
> Sent: Monday, May 28, 2012 4:50 AM
> To: Trever Adams
> Cc: Avinash Gupta ; samba-technical at lists.samba.**org<samba-technical at>
> Subject: Re: Does Samba4 support Cross forest trusts
> On Sun, 2012-05-27 at 18:29 -0600, Trever Adams wrote:
>> On Sun, May 27, 2012 at 4:45 PM, Andrew Bartlett <abartlet at>
>> wrote:
>> > On Tue, 2012-05-22 at 17:12 -0700, Avinash Gupta wrote:
>> >> We have two Samba4 forest domains which act as domain controllers.
>> >> We would like to establish trust between them (either at forest level
>> >> or at domain level).
>> >> We are wondering if Samba4 supports this scenario.
>> >
>> > We have parts of the infrastructure required for this, but not a
>> > complete solution.  In particular, if you were to try this now, we would
>> > completely trust any cross-forest trust you established (no validation
>> > of SIDs).
>> >
>> > Andrew Bartlett
>> Hello All,
>> I am not sure quite how to go about this. Is there any one on this
>> list that adds features for money?
> Yes, there certainly are.   For the right longer-term Samba4 project, I
> or one of the others on the team may be available and there are
> companies listed on our support pages.
>  If so, how much would it cost to get full cross forest trusts
>> implemented, including the SIDs checking? I need kerberos, unix ids
>> (winbind?), etc.
>> One requirement for payment beyond the above is that it is integrated
>> into the main tree.
> This particular task is quite large to finish properly, because it may
> encompass the change in winbindd implementation that we have planned,
> but have not yet done.  Currently the winbindd in Samba4 does not know
> how to talk to multiple domains (needed for NTLM logins across the
> trust), but the winbindd from the Samba 3.x development series does, but
> doesn't do other things we need as an AD DC.
> The KDC side of things (and SID filtering) isn't as large a project,
> because our KDC (Heimdal) knows about multiple realms, and just needs to
> know how to connect to them (the transit path).
> On the plus side, due to the FreeIPA effort, we do have tests for the
> LSA trust establishment and maintenance routines.
> Andrew Bartlett
> --
> Andrew Bartlett                      
> Authentication Developer, Samba Team 

    Charles Tryon
  “Risks are not to be evaluated in terms of the probability of success,
but in terms of the value of the goal.”
                - Ralph D. Winter

More information about the samba-technical mailing list