From 8daa83a594a2e98f39d764422bfbdbc62c9efd44 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:20:00 +0200 Subject: Adding upstream version 2:4.20.0+dfsg. Signed-off-by: Daniel Baumann --- .../winbind/winbindusekrb5enterpriseprincipals.xml | 34 ++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml (limited to 'docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml') diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml new file mode 100644 index 0000000..d30b7f3 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml @@ -0,0 +1,34 @@ + + + winbindd is able to get kerberos tickets for + pam_winbind with krb5_auth or wbinfo -K/--krb5auth=. + + + winbindd (at least on a domain member) is never be able + to have a complete picture of the trust topology (which is managed by the DCs). + There might be uPNSuffixes and msDS-SPNSuffixes values, + which don't belong to any AD domain at all. + + + With no + winbindd doesn't even get a complete picture of the topology. + + + It is not really required to know about the trust topology. + We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM) + and use enterprise principals e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM + and follow the WRONG_REALM referrals in order to find the correct DC. + The final principal might be userfromB@INTERNALB.EXAMPLE.PRIVATE. + + + With yes + winbindd enterprise principals will be used. + + + +yes +no + -- cgit v1.2.3