samba - Apr 2025 - Samba 4.2.15 and MIT Kerberos External Authentication

>
> It sounded like you had set up Samba as an AD DC using MIT instead of
> Hiemdal until here, now I am not so sure. It sounds like you have an
> existing Kerberos realm and you are trying to get a Samba AD DC to auth
> from that, if that is the case, then that is not how you are supposed
> to do it.
>
> If you want to see how to set up a DC with MIT, then the easiest way is
> to do it on the latest fedora, their Samba AD DC uses MIT by default.
>
> Rowland
>
>
Yes this is correct. I am following the doc as per below. I build samba and
upgraded krb5 to the required level needed to build with
--with-experimental-mit-ad-dc

https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC

My understanding is, this *may* work with experimental. The local on site
domain is a realm that has a list of usernames and samba accounts but
authentication is off loaded onto an external realm and there is a one way
trust relationship where the local samba server trusts the external realm
-- all that is required is that there is a local username and username map
on local samba server.

I adjusted the below settings.


/usr/local/samba/etc/user.map

!root = Administrator
!department-adm = Administrator
*@DEPARTMENT.LOCAL = %1 at COMPANY.COM

/etc/nsswitch.conf

passwd:         compat winbind
group:          compat winbind
shadow:         compat

/etc/pam.d/common-auth

auth required pam_winbind.so
account required pam_winbind.so require_membership_of=DEPARTMENT\\Domain\
Users

I will check the Fedora docs how they are doing it. Are that if would be
easier to use Fedora to set this up as its included in their stable repos?

On Wed, 9 Apr 2025 08:36:16 -0400
igor noredinoski via samba <samba at lists.samba.org> wrote:
> >
> > It sounded like you had set up Samba as an AD DC using MIT instead
> > of Hiemdal until here, now I am not so sure. It sounds like you
> > have an existing Kerberos realm and you are trying to get a Samba
> > AD DC to auth from that, if that is the case, then that is not how
> > you are supposed to do it.
> >
> > If you want to see how to set up a DC with MIT, then the easiest
> > way is to do it on the latest fedora, their Samba AD DC uses MIT by
> > default.
> >
> > Rowland
> >
> >
> Yes this is correct. I am following the doc as per below. I build
> samba and upgraded krb5 to the required level needed to build with
> --with-experimental-mit-ad-dc
> 
>
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
> 
> My understanding is, this *may* work with experimental.
If you are going to replace Heimdal with MIT on a Samba AD DC, you do
just that, you replace the kerberos server, you do not use an already
running MIT kdc. Due to a few differences (which over time have been
reduced) using MIT as the kdc is still classed as experimental.
> The local on
> site domain is a realm that has a list of usernames and samba
> accounts but authentication is off loaded onto an external realm and
> there is a one way trust relationship where the local samba server
> trusts the external realm -- all that is required is that there is a
> local username and username map on local samba server.
Sorry, but if you are running Samba as an AD DC, it must be the point of
truth, it must hold all the AD records and your AD domain clients must
use it for authentication.
> 
> I adjusted the below settings.
> 
> 
> /usr/local/samba/etc/user.map
> 
> !root = Administrator
> !department-adm = Administrator
> *@DEPARTMENT.LOCAL = %1 at COMPANY.COM
That is only used on a Unix domain member (and you do not really need
it there), it is never used on a Samba AD DC.
> 
> /etc/nsswitch.conf
> 
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> 
> /etc/pam.d/common-auth
> 
> auth required pam_winbind.so
> account required pam_winbind.so
> require_membership_of=DEPARTMENT\\Domain\ Users
> 
> I will check the Fedora docs how they are doing it. Are that if would
> be easier to use Fedora to set this up as its included in their
> stable repos?
Fedora sets up a Samba AD DC using a new MIT kdc.

Rowland