Samba AD and Domain Trusts status

Andrew Bartlett abartlet at
Wed May 21 23:22:28 MDT 2014

On Tue, 2014-05-20 at 16:28 +0200, Andreas Schneider wrote:
> On Thursday 15 May 2014 13:52:33 Andrew Bartlett wrote:
> > It was asked in another forum what our plans are for Domain Trusts in
> > the AD DC.
> Hi Andrew,
> > The reason I think the task is reasonably short, is that we already have
> > a lot of this working.  For example, we demonstrated a join of Samba as
> > a subdomain to windows AD and vice-verca in 2011 and in 2013.  The
> > Heimdal KDC already knows how to do inter-domain trusts - we never
> > removed that capability, and took steps to correctly store the backing
> > credentials.
> Günther and I are interested in helping you in this task, but first we need to 
> finish the MIT KDC work. In the meantime it would be great if we got more 
> tests for the current winbind so we don't create regressions.

The current status of my work is in;a=shortlog;h=refs/heads/ad-dc-winbindd

I wonder if we can work on these two tasks in parallel?  There is a lot
of work to do and review in the MIT KDC area, and I would best be able
to help you on that if you could help me with the gaps in the winbindd
work, particularly the need for reviews and a way to contact a PDC or RW
DC from winbindd.  (Say when we run as an RODC and don't have the
password, or have the wrong password and need to confirm with the PDC)

> > However, there are a number of blocking factors, the primary one is that
> > I need partners on the team, particularly those with experience in
> > winbindd experience to review and merge the patches I'm working on.
> Günther and I would be available to talk about design decisions and help to 
> work on the different parts.


> > Naturally, I also need support of other ongoing efforts in Samba, like
> > improvements in cwrap to help us handle sub-domain DNS lookups.
> I would be glad to help with that. I've already talked with Michael about 
> this. I also looked at the code.
> 1) We need to add support to load name resolution modules in nss_wrapper.
> 2) Allow to load more than one NSS module.
> 3) Write a module using libresolv to point it to our DNS server.
> We should try to find a time were we can have a phone call and discuss MIT 
> Kerberos for the DC and Trust support maybe next week.

I'm glad to hear that, and look forward to the chat.  I'm regularly
available at 5pm NZT on mumble for a call I already share with Nadya.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list