how to use kerberos authentication to samba4 file server

Alexander Bokovoy ab at
Mon Jun 29 06:09:11 MDT 2015

On Mon, Jun 29, 2015 at 02:47:33PM +0800, 运帅 wrote:
> Hi Folks,
> I am looking for some help from you,  thanks in advance.
> I am building samba4 file server with "--without-ad-dc" option, and add the file server as a domain member.
> as I already have an Active Directory Domain Controller in place(with window2008).
> the problem I am encountered is:
> after adding the file server as a domain member, I donot know how to use kerberos authentication to access the file server.
> when build samba4, it hints will select embedded Heimdal build. but there arenot kerberos tools, such as kstash, kadmin, kinit, klist and so on
> How can I use kerberos authentication as samba3?
When using --without-ad-dc, you are supposed to have MIT Kerberos
libraries on your system to link against.

When using Samba as a domain member in AD, you have to join it to
domain with 'net ads join' call, using Samba's 'net' utility. This will
create required host principal and obtain keytab credentials for it.

Then your clients will be able to obtain service tickets towards this
domain member and Samba will be able to authenticate them.

You do not need kstash/kadmin on the domain member where Samba runs
to use it as a Keberized service. These commands are only required on
the KDC side which you already have implemented with the use of
Microsoft Windows 2008 Server.
/ Alexander Bokovoy

More information about the samba-technical mailing list