Does Samba4 support Cross forest trusts

Andrew Bartlett abartlet at
Mon May 28 05:50:45 MDT 2012

On Sun, 2012-05-27 at 18:29 -0600, Trever Adams wrote:
> On Sun, May 27, 2012 at 4:45 PM, Andrew Bartlett <abartlet at> wrote:
> > On Tue, 2012-05-22 at 17:12 -0700, Avinash Gupta wrote:
> >> We have two Samba4 forest domains which act as domain controllers.
> >> We would like to establish trust between them (either at forest level or at domain level).
> >> We are wondering if Samba4 supports this scenario.
> >
> > We have parts of the infrastructure required for this, but not a
> > complete solution.  In particular, if you were to try this now, we would
> > completely trust any cross-forest trust you established (no validation
> > of SIDs).
> >
> > Andrew Bartlett
> Hello All,
> I am not sure quite how to go about this. Is there any one on this
> list that adds features for money?

Yes, there certainly are.   For the right longer-term Samba4 project, I
or one of the others on the team may be available and there are
companies listed on our support pages. 

> If so, how much would it cost to get full cross forest trusts
> implemented, including the SIDs checking? I need kerberos, unix ids
> (winbind?), etc.
> One requirement for payment beyond the above is that it is integrated
> into the main tree.

This particular task is quite large to finish properly, because it may
encompass the change in winbindd implementation that we have planned,
but have not yet done.  Currently the winbindd in Samba4 does not know
how to talk to multiple domains (needed for NTLM logins across the
trust), but the winbindd from the Samba 3.x development series does, but
doesn't do other things we need as an AD DC.

The KDC side of things (and SID filtering) isn't as large a project,
because our KDC (Heimdal) knows about multiple realms, and just needs to
know how to connect to them (the transit path).  

On the plus side, due to the FreeIPA effort, we do have tests for the
LSA trust establishment and maintenance routines. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list