Multiple realm support

Wachdorf, Daniel R drwachd at
Thu Oct 30 15:15:23 GMT 2003

Is there a way to control this?  Can I say which realms I would like to
allow mapped (strip the @realm) to users?

Additionally, the call krb5_aname_to_localname() exits in the MIT Kerberos
libraries to provide this support.  I would allow setup in the krb5.conf
file to control how Kerberos users are mapping into local user accounts.

Thanks for you help.


> -----Original Message-----
> From: Gerald (Jerry) Carter [mailto:jerry at]
> Sent: Thursday, October 30, 2003 8:13 AM
> To: Wachdorf, Daniel R
> Cc: Samba -Tech (samba-technical at
> Subject: Re: Multiple realm support
> Hash: SHA1
> Wachdorf, Daniel R wrote:
> | I am wondering if it is possible to support multiple
> | realms for user account mappings when using security=ads.  For
> | example: I have two AD realms with forest trust,
> | and  I have a samba server,
> | which has the account user.  When user
> | logs into and tries to connect to,
> | he gets all the necessary Kerberos tickets, but gets reject by
> | the samba server with the message "user
> | is invalid on this system".
> |
> | Is it possible to map multiple domains to a single user.
> I fixed a case post 3.0.0 so that there is an implicit mapping
> between users logging on via AD krb5 support and usernames on
> the local system.
> So in 3.0.1 user at and user at would map
> to the same 'user' in /etc/passwd (assuming you are not running winbindd).
> cheers, jerry
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla -
> iD8DBQE/oSpuIR7qMdg1EfYRApcFAJ9Qlf9egrJm9ClPTbheEDbAODcWhACgh1ht
> aDhn5Zv2Iow+KevDPYtdFN0=

More information about the samba-technical mailing list