[Samba] [4.0] Inter-realm trust

Kaito Kumashiro kumashiro.kaito at gmail.com
Mon Apr 8 05:08:57 MDT 2013

On Mon, Apr 8, 2013 at 12:51 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> > Yes, I did use a Windows tool to create a two-way trust between Samba
> > 4.0 servers, but since this feature is still in development, I don't
> > know how reliable it is. Our kerberized services are pretty critical.
> > If inter-realm trust (on Kerberos level) in Samba 4.0 is stable, then
> > I'll be more than happy to use it.

> To add it to make test we mostly need to have client tools to set up the
> trust, and then we could add tests.  At this point, I'm not even sure
> what we can do with the tools we have - some research is required.
Maybe you could use kgetcred from Heimdal since Samba has it as a Kerberos
subsystem? But that will test only Kerberos trust.

Note that we totally trust the other realm (another reason this is
> unfinished), so the two forests become one security domain, in the sense
> the a rouge administrator in one could easily forge and admin ticket in
> the other.
That should not be a problem in our case. All realms are under our control.
They are separated because we had autonomic NT domains (Samba 3.x). This
will probably change when Samba 4.0 gains full NT forest support
(replication, trusts etc.).

More information about the samba mailing list