On Fri, Apr 5, 2013 at 3:05 AM, Andrew Bartlett <[email protected]> wrote:
> > I know that inter-domain trust is not supported in Samba, but is it > > possible to create an inter-realm trust on Kerberos level? I have a > > kerberized service in realm X (Samba 4.0 as DC) and I want to allow users > > from realm Y (also Samba 4.0, but different domain) to access it using > > SPNEGO GSSAPI. > > If it is possible, how can I accomplish this? > You can try and set up such a trust with the windows tools. The pure > kerberos level should work (because it is a natrual part of kerberos, > which we didn't cripple, but instead did the small work to enable and > the FreeIPA project added the RPC calls for), but not much else will. > Yes, I did use a Windows tool to create a two-way trust between Samba 4.0 servers, but since this feature is still in development, I don't know how reliable it is. Our kerberized services are pretty critical. If inter-realm trust (on Kerberos level) in Samba 4.0 is stable, then I'll be more than happy to use it. I tried setting up a simple Kerberos trust by creating cross-principals (with some LDAP hacking), but that didn't work in Samba and worked only partially when I used SPN instead of "regular" principal, so it's not exactly a 1 to 1 transition. Something has changed in this regard or some other mechanism is used for making a trust. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
