Samba to maintain Kerberos library configuration

simo idra at
Sun Aug 23 08:38:25 MDT 2009

On Fri, 2009-08-21 at 18:32 +0100, webserv at wrote:
> > pam_winbindd is certainly superior.
> > Not only it can use kerberos to authenticate (and set your credential
> > caches), but it can fallback to NTLM or even to offline mode (if
> > configured to do so).
> Ok, you convinced me (if it can handle tickets AND offline mode, then it
> is certainly a superior).
> But still, Kerberos configuration as per krb5.conf would be great at least
> for the following:
> - ssh single sign on
> - NFSv4
> - OpenLdap library / automounter
> ... and besides, there is already an option to handle the system Kerberos
> Keytab file - so this seems to me a next obvious step.
> As per the winbind_krb5_locator mentioned - this is a good example of
> absolutely useless thing - MIT Kerberos library can lookup KDCs using DNS
> SRV records on its own! So really, krb5.conf configuration only involves
> putting appropriate realm in - for experienced admin not a big deal, but
> for beginners Samba can help here greatly....

No it's not useless at all.

All MIT Kerberos library can do is to return one of the many DCs
available but they have no way to tell which one is the closest.

You may end up being unlucky and try to send your requests to a server
on the other side of the world connected by a 56K modem.

Of course this is not a concern if you don't have more than one site and
all your DCs are equally reachable and fast.


Simo Sorce
Samba Team GPL Compliance Officer <simo at>
Principal Software Engineer at Red Hat, Inc. <simo at>

More information about the samba-technical mailing list