Current ideas on kerberos requirements for Samba4

Love Hörnquist Åstrand lha at
Tue May 17 10:38:26 GMT 2005

"Wachdorf, Daniel R" <drwachd at> writes:

> I have a question regarding this.  I submitted a bug on this a while back but it got closed due to lack of a fix. 
> What if you have an environment where SMB clients will be from a kerberos
> realmA will be accessing a SAMBA share using kerberos auth which is a
> member of realmB.  Testing of 3.0 revaled that SAMBA had a problem
> mapping the principal user at realmA into a username.
> Do you think adding a local_name support (much like
> krb5_aname_to_localname in MIT) to translate username kerberos principals
> of non-local kerberos realms into local account names.

Isn't this done with the Name Mapping ldap attribute
(altSecurityIdentities), samba doesn't support this, so use use a local
patch that adds a hard mapping between our Kerberos realm (heimdal) and AD.


> -dan
> -----Original Message-----
> From: krbdev-bounces at on behalf of Andrew Bartlett
> Sent: Mon 5/16/2005 9:36 AM
> To: krbdev at; heimdal-discuss at; samba-technical at
> Cc: Michelle Escalante
> Subject: Current ideas on kerberos requirements for Samba4
> Just a quick note to let a few more people know that I am putting
> together a rough text document describing various things about kerberos.
> I'm sure parts are just complete fiction, but I'm still new to many
> parts of this game. :-)
> The idea is to write down the special things Samba4 will need from
> GSSAPI/Kerberos libraries and KDC implementations, however we end up
> producing things.
> The current version (updated from SVN) is at:
> notes.txt
> Andrew Bartlett
> -- 
> Andrew Bartlett                      
> Authentication Developer, Samba Team 
> Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 477 bytes
Desc: not available
Url :

More information about the samba-technical mailing list