Samba AD and Domain Trusts status
abartlet at samba.org
Wed May 21 23:22:28 MDT 2014
On Tue, 2014-05-20 at 16:28 +0200, Andreas Schneider wrote:
> On Thursday 15 May 2014 13:52:33 Andrew Bartlett wrote:
> > It was asked in another forum what our plans are for Domain Trusts in
> > the AD DC.
> Hi Andrew,
> > The reason I think the task is reasonably short, is that we already have
> > a lot of this working. For example, we demonstrated a join of Samba as
> > a subdomain to windows AD and vice-verca in 2011 and in 2013. The
> > Heimdal KDC already knows how to do inter-domain trusts - we never
> > removed that capability, and took steps to correctly store the backing
> > credentials.
> Günther and I are interested in helping you in this task, but first we need to
> finish the MIT KDC work. In the meantime it would be great if we got more
> tests for the current winbind so we don't create regressions.
The current status of my work is in
I wonder if we can work on these two tasks in parallel? There is a lot
of work to do and review in the MIT KDC area, and I would best be able
to help you on that if you could help me with the gaps in the winbindd
work, particularly the need for reviews and a way to contact a PDC or RW
DC from winbindd. (Say when we run as an RODC and don't have the
password, or have the wrong password and need to confirm with the PDC)
> > However, there are a number of blocking factors, the primary one is that
> > I need partners on the team, particularly those with experience in
> > winbindd experience to review and merge the patches I'm working on.
> Günther and I would be available to talk about design decisions and help to
> work on the different parts.
> > Naturally, I also need support of other ongoing efforts in Samba, like
> > improvements in cwrap to help us handle sub-domain DNS lookups.
> I would be glad to help with that. I've already talked with Michael about
> this. I also looked at the code.
> 1) We need to add support to load name resolution modules in nss_wrapper.
> 2) Allow to load more than one NSS module.
> 3) Write a libnss_dns.so module using libresolv to point it to our DNS server.
> We should try to find a time were we can have a phone call and discuss MIT
> Kerberos for the DC and Trust support maybe next week.
I'm glad to hear that, and look forward to the chat. I'm regularly
available at 5pm NZT on mumble for a call I already share with Nadya.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical