The documentation is only conflicting if you are using it in a
The choice of Kerberos library is important. Samba AD DC with MIT
Kerberos still is broken regarding trust to FreeIPA.
Pardon my ignorance, I am just going by the documentation as is w/ no prior
knowledge ... where in the documentation is that specified?
The two main documentation pages I see when googling "freeipa AD trust" are:
1. If you do not have AD then use Samba 4 instead of it. As of Samba
4.3, Samba AD can establish cross-realm trusts. The feature is still
incomplete and lacks proper access controls but it can be configured to
It has no caveats or warnings on how samba is to be compiled/configured.
This older doc https://www.freeipa.org/page/IPAv3_AD_trust#Samba
is for IPaV3 (which I assumed was outdated).
I thought Samba by default used Heimdal , but you warn that kerberos is the
The changes were pushed out with various Samba releases but I'd
looking at Samba 4.7+ -- at least that has all bugs we knew about fixed
Samba AD DC based on Heimdal
I am using samba 4.8.3 compiled from source , is it recommended to instead
use the Redhat RPM one (currently appears to be 4.7.1 )
I configured with
./configure --enable-debug --enable-selftest --with-ads --with-systemd
The other confusing parts, at least to me, in regards to Samba setup ... do
you know a working configuration using the samba internal-dns , or do you
have to use the bind9 DLZ backend? Regardless of the kerberos , I still
think my preliminary issue is with DNS as I see the errors
ipa: ERROR: Attempt to solve forest trust topology conflicts [Fri Aug
11:58:43.125865 2018] [:error] [pid 6169]
ipa: ERROR: non-public: NTSTATUSError: (-1073741601, 'The
domain did not exist.')
I understand this is the FreeIPA forum , and you can't be responsible for
the documentation or limitations of Samba ... Its just YOUR documentation
does say you can use Samba ... is that just in theory or is there an actual
working case of it somewhere.
Most ALL of the documentation I've seen seems very specific to "Windows
2008 DC" (or similar) , am I chasing a wild goose chase, or is there some
exact specific combination of how you configure Samba ( kerberos, DNS
backend, etc) that it will work with FreeIPA.
Backing up to answer your basic question
What is your use case, in the first place?
You want to run Samba AD DC and establish a trust from it to FreeIPA?
Yes, I am trying to implement a SSO solution for log on accounts for both
windows10 clients and linux clients (and other web/Oauth services that
already integrate into freeipa)
It was my understanding, that the current/only way to do this was
1) Run Samba AD that has Users accounts
2) establish trust from freeipa -> Samba
On Mon, Aug 13, 2018 at 9:51 AM, Alexander Bokovoy <abokovoy(a)redhat.com
> On ma, 13 elo 2018, Alexander Bokovoy via FreeIPA-users wrote:
>> On pe, 10 elo 2018, D Anderson via FreeIPA-users
>>> Hello all,
>>> I am confused by some
of the conflicting documentation about whether
>>> this is possible or not. Almost all of the documentation/working
>>> examples seem to use an actual Windows Domain Controller. Specifically
>>> the part on DNS , as the Samba4 internal DNS server has several know
>> The documentation is only
conflicting if you are using it in a
>> conflicting way.
>> What is your use case, in the first place?
>> You want to run Samba AD DC and establish a trust from
it to FreeIPA?
>> For long time Samba AD DC lacked support for forest
trust, thus it was
>> not possible to use it against FreeIPA. In 2015-17 Red Hat together with
>> SerNet worked on improvements in this area in Samba. The changes were
>> pushed out with various Samba releases but I'd recommend looking at
>> Samba 4.7+ -- at least that has all bugs we knew about fixed in Samba AD
>> DC based on Heimdal -- if you run the process from IPA side.
The choice of Kerberos library is
important. Samba AD DC with MIT
>> Kerberos still is broken regarding trust to
FreeIPA. The fixes went out
>> recently to SSSD 1.16.3 (released today) and Samba 4.9RC2. FreeIPA part
>> of changes is still not released as we were waiting on the other
>> upstream changes first and were busy finishing FreeIPA 4.7.0 release
> Ah, I spoke too early: MIT version of Samba AD DC is still
> fixes needed to support trust to FreeIPA upstream. The patchset is on
> review and needs few more fixes to tests as we are correcting the way
> how trusted domain object's account credentials are salted in Kerberos.
> These changes yet to be committed upstream.
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland