Samba AD and Domain Trusts status
abartlet at samba.org
Wed May 14 19:52:33 MDT 2014
It was asked in another forum what our plans are for Domain Trusts in
the AD DC.
The status is that we actually have a lot of what we need for domain
trusts, particularly inter-forest trusts.
There is a lot of work to do, and I figured I would share an estimate I
did in the hope of showing that it is not only practical, but that if we
work towards it as a team, quite achievable:
The development task for inter-forest trust is 4 parts over about 6
developer-months for my time, plus review effort by others.
Broadly they are:
- Inbound inter-forest trusts (including tests)
- use the source3/winbindd code in the AD DC
- Outbound inter-forest trusts including the DsCrackNames call and SID
- Ongoing work to prepare each element to be suitable for inclusion
into Samba master as each patch matures, including appropriate tests.
(and naturally much more as we discover it)
Additionally (and not included in that estimate) is
- Subdomains and transitive trusts.
The reason I think the task is reasonably short, is that we already have
a lot of this working. For example, we demonstrated a join of Samba as
a subdomain to windows AD and vice-verca in 2011 and in 2013. The
Heimdal KDC already knows how to do inter-domain trusts - we never
removed that capability, and took steps to correctly store the backing
Even for the winbindd merge task, one that has always loomed as the
biggest blocker, a lot of good work has been done. For example, the
earlier work to use our LSA and SAMR servers directly in winbindd has
paid off, and we now connect to the source4 servers, and the passdb
module already handles the idmap. We already keep secrets.tdb in sync
with secrets.ldb, and just need to manage the reverse. Finally, the waf
build system allows us to link additional components (like irpc) without
However, there are a number of blocking factors, the primary one is that
I need partners on the team, particularly those with experience in
winbindd experience to review and merge the patches I'm working on.
Naturally, I also need support of other ongoing efforts in Samba, like
improvements in cwrap to help us handle sub-domain DNS lookups.
I would love to be working on this in daily partnership with another
interested team member, so do please speak up if you would be
interested. (Most of the work so far has been far more tedious than
difficult: making tests more generic and running them against all the
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical