KDC built in or out of smbd

Neil Hoggarth neil.hoggarth at physiol.ox.ac.uk
Wed Nov 30 11:31:30 GMT 2005

On Wed, 30 Nov 2005, Andrew Bartlett wrote:

> On Wed, 2005-11-30 at 09:09 +1100, Tim Potter wrote:
> > Last time this was discussed the option to hook in an external KDC, 
> > if there is one available on the network, was raised.  Is this still 
> > the case?
> Yes and No... There is not currently any way to hook in an external 
> KDC, but we have shown that should an external KDC happen to share the 
> same database, simply disabling our KDC would suffice.

The O'Reilly book "Kerberos: The Definitive Guide" has a section on 
Windows/Unix interoperability where it suggests that one can use a 
non-MS KDC with a Windows Active Directory server, by establishing a 
cross-realm trust relationship between the AD realm and the pre-existing 

Is something like this likely to be possible with Samba 4?

I have previously entertained hopes of using Samba 4 as a "glue layer" 
between an existing MIT-based University-wide Kerberos service (which is 
not under my administrative control) and a Windows domain which I would 
administer on my department's local LAN. I get less hopeful the more I 
learn about AD, but any encouragement would be gratefully received!

Neil Hoggarth                                Departmental Computing Manager
<neil.hoggarth at physiol.ox.ac.uk>                   Laboratory of Physiology
http://www.physiol.ox.ac.uk/~njh/                  University of Oxford, UK

More information about the samba-technical mailing list