Mauricio Tavares raubvogel at
Mon Jun 20 08:47:25 MDT 2011

On Mon, Jun 20, 2011 at 7:20 AM, Andrew Bartlett <abartlet at> wrote:
> On Mon, 2011-06-20 at 07:08 -0400, Mauricio Tavares wrote:
>> In the provisions script for samba4, there is a line that does
>> not make sense to me:
>> creds.set_kerberos_state(DONT_USE_KERBEROS)
>> Correct me if I am wrong but it sure makes me think it is telling me
>> this setup will not be using kerberos. But, AFAIK if you are going for
>> the AD controller role you kinda need that. So, what am I missing
>> here?
> This is simply saying that this particular set of credentials should not
> use Kerberos.  In this case the script is talking (potentially, in
> now-deprecated functionality) talking to a server such as OpenLDAP, and
> the password used between Samba and that LDAP server isn't an AD
> password, but a simple shared secret.  Having an intermediate layer
> bothering a possibly-not-even-existing KDC would break things in this
> case.
      I think I *almost* understand. You see, AFAIK samba4 (n my case
4.0.0 alhpa 15) has its own ldap and kerberos, which are used by its
clients (if it is in AD mode). Shouldn't samba4 also use them,
otherwise it means it has a backdoor access to the said credentials.

> Andrew Bartlett
> --
> Andrew Bartlett                      
> Authentication Developer, Samba Team 

More information about the samba-technical mailing list