Domain Trusts working??

Andrew Bartlett abartlet at
Thu May 24 17:17:02 MDT 2012

On Thu, 2012-05-24 at 16:49 -0400, Charles Tryon wrote:
> WHOOT!   (I think...)
> This is something I've been wanting for quite some time now, and thought
> I'd heard hints that it was working... so I went out on a limb and tried it
> here in my test environment.  It *APPEARS* to be working!
> In Samba3, you had to use the "smbpasswd -a -i <name>" command to create a
> domain trust account.  This did not appear to work in Samba4.  However, I
> guessed that, since many other Samba4 functions can be effectively managed
> through the Microsoft administrative tools, I thought I'd try it and see
> what happenens!
> I was able to connect to my Samba4 domain with the Windows Domains and
> Trusts tool and create a one-way, inbound trust.  (For purposes of this
> test, I decided to create a one-way trust from the Windows DC to the Samba4
> DC.)  Everything seemed to go fine.  I was then able to go to the Windows
> DC and create the outgoing trust.  I was then able to authenticate and log
> in to a machine on the Windows domain, as a user from the Samba4 domain.  I
> haven't tried to access shared drives and such, but that's next.
> Other than the obvious fact that I've only tested the trust relationship in
> one direction, is there anything I'm missing here??

We are not normally ones to hide our light under a bushel, but in this
case there are some hidden gems.  When use with kerberos, a lot of this
actually has a good chance of working, particularly as the inter-forest
level.  Even parent-child trusts have the fundamental basis working, but
have challenges we just didn't get to finishing. 

We also don't yet tell the KDC how to transit from two realms that trust
each other via a third party. 

The main issue comes down to NTLM.  Inbound (Samba4 accounts used in
Windows) trusts should work, but Samba4's winbindd won't know how to
talk to a Windows DC for NTLM authentication, and in s3fs, won't know
how to fill in the 'getent passwd' entries for those users. 

We also trust our trusts absolutely - there is no SID filtering at the

Much work remains, but yes, there are some hidden gems here :-)

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list