igor noredinoski
2025-Apr-09 12:36 UTC
[Samba] Samba 4.2.15 and MIT Kerberos External Authentication
> > It sounded like you had set up Samba as an AD DC using MIT instead of > Hiemdal until here, now I am not so sure. It sounds like you have an > existing Kerberos realm and you are trying to get a Samba AD DC to auth > from that, if that is the case, then that is not how you are supposed > to do it. > > If you want to see how to set up a DC with MIT, then the easiest way is > to do it on the latest fedora, their Samba AD DC uses MIT by default. > > Rowland > >Yes this is correct. I am following the doc as per below. I build samba and upgraded krb5 to the required level needed to build with --with-experimental-mit-ad-dc https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC My understanding is, this *may* work with experimental. The local on site domain is a realm that has a list of usernames and samba accounts but authentication is off loaded onto an external realm and there is a one way trust relationship where the local samba server trusts the external realm -- all that is required is that there is a local username and username map on local samba server. I adjusted the below settings. /usr/local/samba/etc/user.map !root = Administrator !department-adm = Administrator *@DEPARTMENT.LOCAL = %1 at COMPANY.COM /etc/nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat /etc/pam.d/common-auth auth required pam_winbind.so account required pam_winbind.so require_membership_of=DEPARTMENT\\Domain\ Users I will check the Fedora docs how they are doing it. Are that if would be easier to use Fedora to set this up as its included in their stable repos?
Rowland Penny
2025-Apr-09 13:05 UTC
[Samba] Samba 4.2.15 and MIT Kerberos External Authentication
On Wed, 9 Apr 2025 08:36:16 -0400 igor noredinoski via samba <samba at lists.samba.org> wrote:> > > > It sounded like you had set up Samba as an AD DC using MIT instead > > of Hiemdal until here, now I am not so sure. It sounds like you > > have an existing Kerberos realm and you are trying to get a Samba > > AD DC to auth from that, if that is the case, then that is not how > > you are supposed to do it. > > > > If you want to see how to set up a DC with MIT, then the easiest > > way is to do it on the latest fedora, their Samba AD DC uses MIT by > > default. > > > > Rowland > > > > > Yes this is correct. I am following the doc as per below. I build > samba and upgraded krb5 to the required level needed to build with > --with-experimental-mit-ad-dc > > https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC > > My understanding is, this *may* work with experimental.If you are going to replace Heimdal with MIT on a Samba AD DC, you do just that, you replace the kerberos server, you do not use an already running MIT kdc. Due to a few differences (which over time have been reduced) using MIT as the kdc is still classed as experimental.> The local on > site domain is a realm that has a list of usernames and samba > accounts but authentication is off loaded onto an external realm and > there is a one way trust relationship where the local samba server > trusts the external realm -- all that is required is that there is a > local username and username map on local samba server.Sorry, but if you are running Samba as an AD DC, it must be the point of truth, it must hold all the AD records and your AD domain clients must use it for authentication.> > I adjusted the below settings. > > > /usr/local/samba/etc/user.map > > !root = Administrator > !department-adm = Administrator > *@DEPARTMENT.LOCAL = %1 at COMPANY.COMThat is only used on a Unix domain member (and you do not really need it there), it is never used on a Samba AD DC.> > /etc/nsswitch.conf > > passwd: compat winbind > group: compat winbind > shadow: compat > > /etc/pam.d/common-auth > > auth required pam_winbind.so > account required pam_winbind.so > require_membership_of=DEPARTMENT\\Domain\ Users > > I will check the Fedora docs how they are doing it. Are that if would > be easier to use Fedora to set this up as its included in their > stable repos?Fedora sets up a Samba AD DC using a new MIT kdc. Rowland
Maybe Matching Threads
- Samba 4.2.15 and MIT Kerberos External Authentication
- Samba 4.2.15 and MIT Kerberos External Authentication
- OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
- Looking for AIX Users of Winbind -- Authorization and SSH Problems
- kerberos ticket on login problem