master4-forest-ok branch

Andrew Bartlett abartlet at
Fri Dec 19 02:43:21 MST 2014

On Fri, 2014-12-19 at 00:43 +0100, Stefan (metze) Metzmacher wrote:

> has everything...
> > Some small notes:
> >  - In the new trusted domain cli_credentials code, you don't need a new
> > lp_ctx, use the one on the dsdb private state pointer. 
> fixed.
> >  - The RODC already checks locally first, and falls back to a remote
> > NETLOGON call if we get NOT_IMPLEMENTED as the reply, so the TODO isn't
> > required
> Ah, ok the winbindd_dual_auth_passdb() calls...

Yes (you still have the TODO :-)

> >  - How can we test all this?  We really need to start a 2nd forest in
> > make test.
> I'm working on this next, first I need something like 'samba-tool domain
> trust add'
> > BTW, if you get all this going, subdomains are not far off either - most
> > of the problems are exactly the same. 
> Yes, similar.

So, as long as you have tested these in some way, I'm happy for you to
mark the commits currently in master4-forest-ok Reviewed-by: Andrew
Bartlett <abartlet at>.  I'm looking forward to the automated
tests.  A little of what I have in my random subdomain-wip branches will
help (that starts the subdomain environment), so we really should sort
those out again in the new year.  The handling of the DNS partitions
ACLs was one of the few serious blockers - remember it actually worked
at Microsoft!

Naturally, please finish you discussion with Ralf and others on the
waf/build changes.

Finally, I'm assuming the use of the domain$ account with Kerberos is
due to one-way trusts?  Does it really work like that?  Otherwise, I
would have expected us to use our own machine account, and obtained a
cross-realm ticket with that.

Thank you very much for all your work on this,

Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list