delegated credentials on samba4

Andrew Bartlett abartlet at
Sat Sep 22 00:23:55 GMT 2007

On Fri, 2007-09-21 at 15:27 +0100, Amin Azez wrote:
> I'm doing some work to add some generic caching and traffic optimization
> to the cifs proxy vfs I hope will be accepted as part of samba4.

This certainly sounds interesting.  In the final delivery, we might want
to have this a separate module, with vfs_cifs and vfs_cifs_cache both
using some common code. 

> I have non-delgated proxying working, this message describes some
> difficulty I am experiencing in getting delegated mode to work as
> described in source/ntvfs/cifs/README.
> I'm developing on a Centos-5 system, samba4 built and installed OK.
> I have ntp running on all the servers involved.
> I follow the instructions at:
> and successfully followed step 4 to provision samba4 in an existing
> windows 2003 domain:
>  ./setup/provision --domain=UFO --adminpass=XXX

I clearly need to fix some of these instructions, because for the domain
member case, it just doesn't make sense.   

In short, set --realm=membername --domain=membername (becuse we are just
trying to create the internal SAM database).

In the smb.conf, set 'server role = member server'

> I wasn't able to completely follow these instructions:
> Please install the zone located in
> /usr/local/samba/private/ into your DNS server.
>  A sample BIND configuration snippit is at
> /usr/local/samba/private/named.conf
> because the named.conf line
> tkey-gssapi-credential "DNS/";
> causes bind9 to give the error:
> Sep 21 14:41:43 localhost named[19606]: configuring TKEY: not implemented

Yeah, I will improve the instructions.  This feature is not implemented
in all but the most recent BIND version, and in any case, you should not
do this for a member server.  

> And so I went without using the local nameserver, but had resolv.conf
> pointing to the domain controller I am trying to join.
> I mention this in case it is a cause or symptom of my problems; possibly
> related to:
> (
> Server claims it's principal name is
> Starting GENSEC submechanism gssapi_krb5
> kinit for Administrator at UFO failed (Cannot contact any KDC for requested
> realm: unable to reach any KDC in realm UFO)
> Failed to get CCACHE for GSSAPI client: Cannot contact any KDC for
> requested realm
> Cannot reach a KDC we require to contact
> cifs at
> Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
> Starting GENSEC submechanism ntlmssp
> signing_good: signing negotiated but not required and peer
> isn't sending correct signatures. Turning off.
> Shutdown SMB signing
> )
> anyway, I then do:
> # net join UFO BDC -U Administrator

This you don't want to do, as you are not a BDC. 

Try 'net join UFO -U administrator', we don't want to be a Domain

> Under the windows 2003 AD administration tools, I set cfs proxy to be
> trusted for delegation.


> Notes:
> When I start smbd, I note this error:
> Name registration conflict from for UFO<1b> with ip
> - rcode 6
> Error registering UFO<1b> with on interface
> is the windows 2003 domain controller for which I want to
> make the samba4 machine also an active directory server (bdc in old
> terms?) and trusted for delegation.
> is the samba4 server.
> I guess the provision command I ran must have made a distinct domain
> instead of replicating from the existing domain of the same name,

Samba4 is not yet able to act as a second domain controller in a windows
domain, but should act as a member server, once you manage the correct
configuration.  Let's work together to set that up, and fix up the

In short:

./provision --realm=cifsproxy --domain=cifsproxy

fix up smb.conf to be:

workgroup = UFO
realm =
server role = member server

Then run
net join UFO

Then set 'trusted for delegation'

Then set your /etc/krb5.conf like (the critical one being for the UFO
domain, which being short isn't in DNS)

 dns_lookup_realm = true
 dns_lookup_kdc = true

  kdc =
  default_domain =
 } = {
  kdc =
  default_domain =
 UFO = {
  kdc =
  default_domain =

I hope this helps.  I'll make it a task for the next week to have a sane
member-server provision and join process. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list