[PATCH][WIP] AD Subdomain support for Samba 4.2?

Andrew Bartlett abartlet at samba.org
Sun Aug 10 23:50:18 MDT 2014

OK, so now I have your attention :-)

I'm making very good progress on the subdomain code, and it can be seen

The patch series is still a work in progress, but I'm trying to make it
tidy enough for folks to reasonably look at.  Thoughts, comments and if
you feel like it, review (but not push, I'll collect them up and push
them once I'm happy with the series), most welcome.

The TODO Items that I see are:
 - sort out what rules windows uses to decide permission to call
DsReplicaUpdateRefs as our current code doesn't work well cross-domain.
I think we probably just need to rely on the PAC and membership of the
right groups.
 - connect the trusted domain passwords in sam.ldb with the
pdb_samba_dsdb code.  This does not look hard, and should then allow
winbindd to handle the NTLM forwarding.
 - Do not create in provision the groups that "only exist at the forest

No doubt there will be much more work beyond that, and in reality this
might be a Samba 4.3 feature, but much can change with a little help.  

I'm mostly testing in 'make test' right now, but have done some very
limited join testing Samba as a subdomain of Windows 2008R2.  Testing
other combinations would be very welcome. 

Please help out if you can!


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list