[Samba] [4.0] Inter-realm trust

Andrew Bartlett abartlet at samba.org
Mon Apr 8 05:28:41 MDT 2013

On Mon, 2013-04-08 at 13:08 +0200, Kaito Kumashiro wrote:
> On Mon, Apr 8, 2013 at 12:51 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> > > Yes, I did use a Windows tool to create a two-way trust between Samba
> > > 4.0 servers, but since this feature is still in development, I don't
> > > know how reliable it is. Our kerberized services are pretty critical.
> > > If inter-realm trust (on Kerberos level) in Samba 4.0 is stable, then
> > > I'll be more than happy to use it.
> >
> [...]
> > To add it to make test we mostly need to have client tools to set up the
> > trust, and then we could add tests.  At this point, I'm not even sure
> > what we can do with the tools we have - some research is required.
> >
> Maybe you could use kgetcred from Heimdal since Samba has it as a Kerberos
> subsystem? But that will test only Kerberos trust.

That's not really the hard bit - you can prove the same things that does
with smbclient4 -k yes.  

> Note that we totally trust the other realm (another reason this is
> > unfinished), so the two forests become one security domain, in the sense
> > the a rouge administrator in one could easily forge and admin ticket in
> > the other.
> >
> That should not be a problem in our case. All realms are under our control.
> They are separated because we had autonomic NT domains (Samba 3.x). This
> will probably change when Samba 4.0 gains full NT forest support
> (replication, trusts etc.).

Yes, we would love to have that (some of this also works, again as long
as you stick to kerberos).  Sadly it is a matter of resources, and we
are all tied up on maintenance of 4.0 at this point, and no feature work
is going on in the AD DC currently. 

Note that joining two forests isn't going to be at all easy (compared
with upgrading an Samba classic domain into a forest, which would be
hard, but not impossible). 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list