From c76d2e06fd1e9d71cedcc297a6db0cffb71ee64c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 1 Mar 2018 09:52:51 +0100 Subject: [PATCH] WHATSNEW: add 'Improved support for trusted domains (as AD DC)' section Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Reviewed-by: Andreas Schneider --- WHATSNEW.txt | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index ce83efc7fbf..de488050817 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -167,6 +167,34 @@ domains. Some pam_winbind setups may also require the global list. If you have a setup that doesn't require the global list, you should set "winbind scan trusted domains = no". +Improved support for trusted domains (as AD DC) +----------------------------------------------- + +The support for trusted domains/forests has improved a lot. + +External domain trusts, as well a transitive forest trusts, +are supported in both directions (inbound and outbound) +for Kerberos and NTLM authentication now. + +The LSA LookupNames and LookupSids implementations +support resolving names and sids from trusts domains/forest +now. This is important in order to allow Samba based +domain members to make use of the trust. + +However there are currently still a few limitations: + +- It's not possible to add users/groups of a trusted domain + into domain groups. So group memberships are not expanded + on trust boundaries. + See https://bugzilla.samba.org/show_bug.cgi?id=13300 +- Both sides of the trust need to fully trust each other! +- No SID filtering rules are applied at all! +- This means DCs of domain A can grant domain admin rights + in domain B. +- Selective (CROSS_ORIGANIZATION) authentication is + not supported. It's possible to create such a trust, + but the KDC and winbindd ignore them. + VirusFilter VFS module ---------------------- -- 2.34.1