[Samba] [4.0] Inter-realm trust

Andrew Bartlett abartlet at samba.org
Mon Apr 8 04:51:48 MDT 2013

On Mon, 2013-04-08 at 12:37 +0200, Kaito Kumashiro wrote:
> On Fri, Apr 5, 2013 at 3:05 AM, Andrew
> Bartlett <abartlet at samba.org> wrote:
>         > I know that inter-domain trust is not supported in Samba,
>         but is it
>         > possible to create an inter-realm trust on Kerberos level? I
>         have a
>         > kerberized service in realm X (Samba 4.0 as DC) and I want
>         to allow users
>         > from realm Y (also Samba 4.0, but different domain) to
>         access it using
>         > SPNEGO GSSAPI.
>         > If it is possible, how can I accomplish this?
>         You can try and set up such a trust with the windows tools.
>          The pure
>         kerberos level should work (because it is a natrual part of
>         kerberos,
>         which we didn't cripple, but instead did the small work to
>         enable and
>         the FreeIPA project added the RPC calls for), but not much
>         else will.
> Yes, I did use a Windows tool to create a two-way trust between Samba
> 4.0 servers, but since this feature is still in development, I don't
> know how reliable it is. Our kerberized services are pretty critical.
> If inter-realm trust (on Kerberos level) in Samba 4.0 is stable, then
> I'll be more than happy to use it.

It's untested, and not really supported, but we don't intend to break it
either.  I love seeing Samba stretched into new places, and want to
break things for you. 

We would love for this to be more developed, and for it to become tested
as part of 'make test'.  The primary mechanics here is just pure
kerberos, where inter-realm is a well understood thing, and that is why
it works as well as it does. 

To add it to make test we mostly need to have client tools to set up the
trust, and then we could add tests.  At this point, I'm not even sure
what we can do with the tools we have - some research is required.

Note that we totally trust the other realm (another reason this is
unfinished), so the two forests become one security domain, in the sense
the a rouge administrator in one could easily forge and admin ticket in
the other. 

Note that trusts are quite special in AD, which is why you can't just do
it with an SPN.  That much we already have well coded up, as otherwise
it would be too easy to break in.  

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list