question about service principals (samba4)

simo idra at
Sun Sep 26 16:25:09 MDT 2010

On Sun, 2010-09-26 at 18:06 -0400, srikumar 108 wrote:
> On Sat, Sep 25, 2010 at 12:46 PM, Aaron Solochek
> <aarons-samba at> wrote:
> > On 09/25/2010 03:10 AM, srikumar 108 wrote:
> >>
> >> To be honest, I already have what I need with a little shell script
> >> and heimdal's ktutil. However, that may not be a solution for
> >> everybody (because of its dependence on heimdal's utilities). What I
> >> was after was to create an user a/c, like 'smtp-speedy' and then add
> >> an SPN like 'smtp/' for kerberized services running on
> >> other hosts (i.e. not on the DC), and which may not be running samba
> >> (so I can't use existing methods like samba3's 'net ads keytab'
> >> command). My thinking was, why should a web or mail server have to be
> >> joined to the AD domain, shouldn't ldap and kerberos be enough?
> >>
> >
> > This situation is pretty much exactly why I'd like kadmin running on the kdc.
> > It is unfortunate that the protocols are different between Heimdal/MIT, and I am
> > assuming that it's non-trivial to swap in MIT krb5 in the samba build, but
> > kerberos doesn't imply samba, and a network could very well have machines that
> > want kerberos but not samba.  It ought to be possible to set up such a machine
> > using the kerberos tools it will already have, and not be required to extract
> > the keys on some third machine and transfer them over.
> >
> >
> It sounds like a possible solution for you would be to run a separate
> kdc and establish a two-way trust with the domain controller. We have
> something similar working. In this way, the AD servers manage the
> Windows desktops, and a separate bunch of unix servers can be manged
> by a unix kdc using familiar tools. Now, I know this can be with Win2k
> servers, but I don't know if this can be done with samba4, or whether
> that feature is planned. This can also satisfy the "we want to run our
> own kdc" constituency...

FYI: we are planning to do exactly this with the FreeIPA project in
version3, we will be using samba components to do cross forest trusts
with AD-style domains.


Simo Sorce
Samba Team GPL Compliance Officer <simo at>
Principal Software Engineer at Red Hat, Inc. <simo at>

More information about the samba-technical mailing list