On Mon, 2013-04-08 at 13:08 +0200, Kaito Kumashiro wrote: > On Mon, Apr 8, 2013 at 12:51 PM, Andrew Bartlett <[email protected]> wrote: > > > > Yes, I did use a Windows tool to create a two-way trust between Samba > > > 4.0 servers, but since this feature is still in development, I don't > > > know how reliable it is. Our kerberized services are pretty critical. > > > If inter-realm trust (on Kerberos level) in Samba 4.0 is stable, then > > > I'll be more than happy to use it. > > > [...] > > > To add it to make test we mostly need to have client tools to set up the > > trust, and then we could add tests. At this point, I'm not even sure > > what we can do with the tools we have - some research is required. > > > Maybe you could use kgetcred from Heimdal since Samba has it as a Kerberos > subsystem? But that will test only Kerberos trust.
That's not really the hard bit - you can prove the same things that does with smbclient4 -k yes. > Note that we totally trust the other realm (another reason this is > > unfinished), so the two forests become one security domain, in the sense > > the a rouge administrator in one could easily forge and admin ticket in > > the other. > > > That should not be a problem in our case. All realms are under our control. > They are separated because we had autonomic NT domains (Samba 3.x). This > will probably change when Samba 4.0 gains full NT forest support > (replication, trusts etc.). Yes, we would love to have that (some of this also works, again as long as you stick to kerberos). Sadly it is a matter of resources, and we are all tied up on maintenance of 4.0 at this point, and no feature work is going on in the AD DC currently. Note that joining two forests isn't going to be at all easy (compared with upgrading an Samba classic domain into a forest, which would be hard, but not impossible). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
