[Samba] Samba 3.0 as NT4 PDC with MIT kerberos 1.3 (v5) for authentication?

Jane Deer jane at gnosys.biz
Sun Oct 12 19:21:02 GMT 2003

Hi All-

Please pardon my repost of my usenet article in this list.

Previously, I asked if Samba 3.0 could be an Active Directory Domain
Controller (ADDC).  I have the feeling that the answer is no.  If so, then 
I have this other question:

Can I use Samba as an NT4 PDC for making a Windows NT4 domain that
would host several M$ Windows XPP client computers as domain
clients/members, but have these client computers (and their users)
actually do their authentication not against the PDC, but rather,
against an MIT kerberos 1.3 (v5) Key Distribution Center (KDC) or
kerberos server?

I've now read one or two cases of educational institutions using
similar arrangements, but in their circumstances, they often had a M$
Windows 2000 Server machine that was the ADDC for a domain, then they
established trust between the ADDC and their MIT kerberos v5 KDC, and
then their client computers did pass-through authentication not
against the ADDC, but rather, against the KDC.  To be more specific,
the client computers were domain members of a domain hosted by the
ADDC (perhaps could also be an NT4 PDC?), and their authentication
requests apparently did a pass-through of the ADDC and then were
checked against the kerberos database on the KDC.  If the
authentication was successful, then the users ended up with a
single-sign-on (SSO) onto their Win2k/WinXP boxes, got kerberos
tickets for services from the KDC, and then obtained access to
authorized services (apparently, services that were a part of the
domain that they logged into, thus Samba would provide), and also
(possibly) services that were made available by unix machines that
were not necessarily a part of the ADDC (or NT4) domain, but that did
have service principals in the kerberos database.  Does that make

So, does anyone know if such a scheme would work with no ADDC (since I
don't have and don't want a M$ server), but rather, with Samba 3.0
acting as the PDC in an NT4 domain rather than an ADS domain?  Since,
as I said above, I get the impression that Samba 3.0 cannot be an
ADDC, using it to provide an NT4 domain seems like the next best
alternative---if it will work.

Thanks in advance for any thoughts, suggestions, advice on whether
this will or will not work and, if the former (it will work), then any
tips/tricks or gotchas on actually implementing the plan.

Thanks again, Samba Team, for your terrific suite of software!


More information about the samba mailing list