abartlet at samba.org
Fri Dec 19 02:43:21 MST 2014
On Fri, 2014-12-19 at 00:43 +0100, Stefan (metze) Metzmacher wrote:
> has everything...
> > Some small notes:
> > - In the new trusted domain cli_credentials code, you don't need a new
> > lp_ctx, use the one on the dsdb private state pointer.
> > - The RODC already checks locally first, and falls back to a remote
> > NETLOGON call if we get NOT_IMPLEMENTED as the reply, so the TODO isn't
> > required
> Ah, ok the winbindd_dual_auth_passdb() calls...
Yes (you still have the TODO :-)
> > - How can we test all this? We really need to start a 2nd forest in
> > make test.
> I'm working on this next, first I need something like 'samba-tool domain
> trust add'
> > BTW, if you get all this going, subdomains are not far off either - most
> > of the problems are exactly the same.
> Yes, similar.
So, as long as you have tested these in some way, I'm happy for you to
mark the commits currently in master4-forest-ok Reviewed-by: Andrew
Bartlett <abartlet at samba.org>. I'm looking forward to the automated
tests. A little of what I have in my random subdomain-wip branches will
help (that starts the subdomain environment), so we really should sort
those out again in the new year. The handling of the DNS partitions
ACLs was one of the few serious blockers - remember it actually worked
Naturally, please finish you discussion with Ralf and others on the
Finally, I'm assuming the use of the domain$ account with Kerberos is
due to one-way trusts? Does it really work like that? Otherwise, I
would have expected us to use our own machine account, and obtained a
cross-realm ticket with that.
Thank you very much for all your work on this,
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical