Samba AD and Domain Trusts status

Andreas Schneider asn at
Tue May 20 08:28:22 MDT 2014

On Thursday 15 May 2014 13:52:33 Andrew Bartlett wrote:
> It was asked in another forum what our plans are for Domain Trusts in
> the AD DC.

Hi Andrew,

> The reason I think the task is reasonably short, is that we already have
> a lot of this working.  For example, we demonstrated a join of Samba as
> a subdomain to windows AD and vice-verca in 2011 and in 2013.  The
> Heimdal KDC already knows how to do inter-domain trusts - we never
> removed that capability, and took steps to correctly store the backing
> credentials.

Günther and I are interested in helping you in this task, but first we need to 
finish the MIT KDC work. In the meantime it would be great if we got more 
tests for the current winbind so we don't create regressions.

> However, there are a number of blocking factors, the primary one is that
> I need partners on the team, particularly those with experience in
> winbindd experience to review and merge the patches I'm working on.

Günther and I would be available to talk about design decisions and help to 
work on the different parts.

> Naturally, I also need support of other ongoing efforts in Samba, like
> improvements in cwrap to help us handle sub-domain DNS lookups.

I would be glad to help with that. I've already talked with Michael about 
this. I also looked at the code.

1) We need to add support to load name resolution modules in nss_wrapper.
2) Allow to load more than one NSS module.
3) Write a module using libresolv to point it to our DNS server.

We should try to find a time were we can have a phone call and discuss MIT 
Kerberos for the DC and Trust support maybe next week.


	-- andreas

Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at

More information about the samba-technical mailing list