Andrew Bartlett abartlet at
Mon Jun 20 20:13:46 MDT 2011

On Mon, 2011-06-20 at 10:47 -0400, Mauricio Tavares wrote:
> On Mon, Jun 20, 2011 at 7:20 AM, Andrew Bartlett <abartlet at> wrote:
> > On Mon, 2011-06-20 at 07:08 -0400, Mauricio Tavares wrote:
> >> In the provisions script for samba4, there is a line that does
> >> not make sense to me:
> >>
> >> creds.set_kerberos_state(DONT_USE_KERBEROS)
> >>
> >> Correct me if I am wrong but it sure makes me think it is telling me
> >> this setup will not be using kerberos. But, AFAIK if you are going for
> >> the AD controller role you kinda need that. So, what am I missing
> >> here?
> >
> > This is simply saying that this particular set of credentials should not
> > use Kerberos.  In this case the script is talking (potentially, in
> > now-deprecated functionality) talking to a server such as OpenLDAP, and
> > the password used between Samba and that LDAP server isn't an AD
> > password, but a simple shared secret.  Having an intermediate layer
> > bothering a possibly-not-even-existing KDC would break things in this
> > case.
> >
>       I think I *almost* understand. You see, AFAIK samba4 (n my case
> 4.0.0 alhpa 15) has its own ldap and kerberos, which are used by its
> clients (if it is in AD mode). Shouldn't samba4 also use them,
> otherwise it means it has a backdoor access to the said credentials.

Samba4 uses local file access to access it's internal databases.  An
already deprecated feature of Samba4 was to use OpenLDAP as the internal
database, and in that case we don't use an AD password to prove our
identity to that underlying database.  

In short, yes, Samba4 uses it's own back-door, private credentials
system (static password or local file permissions) to access it's own

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list