[Samba] Realm trust between Samba AD and MIT kerberos realm

Alex Moore alex at lspeed.org
Thu Jan 10 23:11:04 UTC 2019

Hi all,

I was hoping to setup a realm trust between a Samba AD domain and a 
kerberos realm running mit-krb5, however it looks like that isn't 
currently supported. Is that correct, or am I missing something (I'm 
running Samba 4.9.4)?

Having noticed that "samba-tool domain trust" only seems to cater for 
trusts involving other AD domains, I tried to workaround that (in the 
hope that perhaps the limitation is only in the CLI tools) by promoting 
a Windows 2008 R2 system to a DC in my otherwise Samba-based AD 
environment, to see if I could use that to get the realm trust in place. 
That seems to have at least half worked... I found that I needed to 
temporarily move the PDC Emulator role to the Windows 2008 R2 DC, after 
which it was then possible to use the GUI tools (ie Active Directory 
Domains and Trusts) to create a kerberos realm trust. For the record I 
created a non-transitive outgoing realm trust from AD to the MIT 
kerberos realm. The resulting kerberos realm trust does appear to 
function correctly, although perhaps that's not saying much because I 
haven't yet tried demoting the Windows 2008 R2 DC to see whether the 
realm trust continues to function once there are only Samba DCs 
remaining (I will test that soon...). At least "samba-tool domain trust 
list/show" do present sensible information:

# samba-tool domain trust list
Type[External] Transitive[No]  Direction[OUTGOING] Name[KRB.REALM]

# samba-tool domain trust show KRB.REALM
LocalDomain Netbios[AD] DNS[ad.domain] 

NetbiosName:    KRB.REALM
SID:            None
Type:           0x3 (MIT)
Direction:      0x2 (OUTBOUND)
Attributes:     0x1 (NON_TRANSITIVE)
PosixOffset:    0x00000000 (0)
kerb_EncTypes:  0x18 (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)

However I have already noticed one thing that is broken... if I restart 
samba on the Samba DC after creating the realm trust, winbind 
immediately dies with the following (and I can't see a workaround - 
meaning this isn't a viable deployment even if the trust would otherwise 
continue to work after demoting the Windows DC, as it would stop working 
as soon as samba is next restarted):

[2019/01/10 20:17:59.578186,  0] 
   initialize_winbindd_cache: clearing cache and re-creating with 
version number 2
[2019/01/10 20:17:59.585080,  0] 
   add_trusted_domain: Got null SID for domain [KRB.REALM]
[2019/01/10 20:17:59.585114,  0] 
   init_domain_list: init_domain_list_dc failed
[2019/01/10 20:17:59.585138,  0] 
   unable to initialize domain list

So - is there any chance of getting support for kerberos realm trusts 
added to Samba? Perhaps I am being naive here, but I'm hoping that 
presumably realm trusts are much simpler than other AD trust types 
(since they're purely kerberos - no need to deal with SIDs and other 
such complexities), to the extent that I imagine they only require a 
subset of the code that has already been implemented for the other trust 


More information about the samba mailing list