More forest trust related patches

Andrew Bartlett abartlet at
Mon Apr 13 01:29:38 MDT 2015

On Sun, 2015-04-12 at 21:38 +0200, Stefan (metze) Metzmacher wrote:
> Hi,
> I moved a lot more stuff to the -ok branch (Note I also changed fixed some
> of the dsdb_trust_* helper functions compared to the last patchset!)
> It passed autobuild a few times and it's ready for master from my site.
> Note that samba-tool domain trust create needs to generate a true
> utf8 based password if --no-aes-keys is given, this is required
> because our kerberos client code can't handle random utf16munged passwords
> for arcfour-hmac-md5 pre-auth yet.


> However there're a few TODO's in the remaining patches.
> It's mainly related to bug #11130, where we should allow
> The same applies also for trust accounts (I guess it's just based on the
> '$').
> It's allowed as a client and also as a service principal.
> I added some tests for it and hacked a mostly working (but ugly
> implementation),
> Andrew maybe you can work out a better fix :-)

I'm really curious as to if this is related to samAccountName, or
perhaps CN or dnsHostName as attributes.  I guess I need to do more

> Note that winbindd uses MYDOMAIN at OTHERREALM for kinit and generates some
> warnings
> without the fix for bug #11130, but it still work fine.
> Please review and push the -ok patches.

I'll take a look.

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list