[Samba] winbind with multiple domains

[Thom Vaught]

I want to setup winbind so that I can have cvs authenticate against multiple
windows domains. The windows domains are set up with a single root domain and
the several leaf domains directly beneath the root. There is trust setup between
the leaf domains.

Having joined one of the leaf domains, I can enumerate users/groups in both the
leaf and root domains. I have checked the trust and the RPC call for that
succeeds in all the leaf domains. I even seem to be able authenticate users
against the other leaf domains. However, I cannot enumerate users/groups in the
other leaf domains.

As far a logs go, I get reports in the nmbd.log file that there are multiple
response for the query using the name of the primary domain. I do not think this
is an issue.

In the winbindd.log I get messages that winbind cannot find the KDC of the other
leaf realms. I am almost certain that this is the issue. However, I do not know
how to fix it.

Do I need Kerberos entries and tickets for those other domains even though trust
seems to be established? Are these simply extra kdc entries on the main realm?

If Kerberos entries are required then, I see how to configure the realms in the
configuration file. However it is not obvious how I can use kinit or another
tool to manage the tickets for multiple domains.

Or am I completely off base.

Any help is appreciated.

-thom