master4-forest-ok branch

Stefan (metze) Metzmacher metze at
Fri Dec 19 03:06:45 MST 2014

Am 19.12.2014 um 10:43 schrieb Andrew Bartlett:
> On Fri, 2014-12-19 at 00:43 +0100, Stefan (metze) Metzmacher wrote:
>> has everything...
>>> Some small notes:
>>>  - In the new trusted domain cli_credentials code, you don't need a new
>>> lp_ctx, use the one on the dsdb private state pointer. 
>> fixed.
>>>  - The RODC already checks locally first, and falls back to a remote
>>> NETLOGON call if we get NOT_IMPLEMENTED as the reply, so the TODO isn't
>>> required
>> Ah, ok the winbindd_dual_auth_passdb() calls...
> Yes (you still have the TODO :-)
>>>  - How can we test all this?  We really need to start a 2nd forest in
>>> make test.
>> I'm working on this next, first I need something like 'samba-tool domain
>> trust add'
>>> BTW, if you get all this going, subdomains are not far off either - most
>>> of the problems are exactly the same. 
>> Yes, similar.
> So, as long as you have tested these in some way,

Yes, I'm testing with Windows and FreeIPA.

> I'm happy for you to mark the commits currently in master4-forest-ok
> Reviewed-by: Andrew Bartlett <abartlet at>.


> I'm looking forward to the automated tests.

Yes, that's one of my next tasks...

> A little of what I have in my random subdomain-wip branches will
> help (that starts the subdomain environment), so we really should sort
> those out again in the new year.  The handling of the DNS partitions
> ACLs was one of the few serious blockers - remember it actually worked
> at Microsoft!

I'll have a look if I can take some of your work.

> Naturally, please finish you discussion with Ralf and others on the
> waf/build changes.


> Finally, I'm assuming the use of the domain$ account with Kerberos is
> due to one-way trusts?  Does it really work like that?  Otherwise, I
> would have expected us to use our own machine account, and obtained a
> cross-realm ticket with that.

Yes, that works fine.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list