Active Directory Trusts

From SambaWiki

Support for Active Directory Trusts

External trusts between individual domains work in both ways (inbound and outbound). The same applies to root domains of a forest trust.

The transitive routing into the other forest is fully functional for kerberos, but not yet supported for NTLMSSP. FIXMEFIXMEFIXME: what does this mean from a functional perspective?

While a lot of things are working fine, there are currently a few limitations:

  • Both sides of the trust need to fully trust each other!
  • No SID filtering rules are applied at all!
  • This means DCs of domain A can grant domain admin rights in domain B.
  • It's not possible to add users/groups of a trusted domain into domain groups.