[Samba] Samba 3.0 as Active Directory Domain Controller with MIT Kerberos

John H Terpstra jht at samba.org
Sun Oct 12 19:38:46 GMT 2003

On Sun, 12 Oct 2003, Jane Deer wrote:

> "Gerald (Jerry) Carter" <jerry at samba.org> wrote in message
> news:<zwyd.1Tn.5 at gated-at.bofh.it>...
> > The Samba Team is proud to announce the availability of the
> > first official release of the Samba 3.0 code base.
> >
> > Major new features:
> > - -------------------
> >
> > 1)  Active Directory support.  Samba 3.0 is now able to
> >      join a ADS realm as a member server and authenticate
> >      users using LDAP/Kerberos.
> >
> Hi Gerald (Jerry) and Samba Team!
> Before anythings else, I'd just like to start by thanking you for your
> magnificent contribution to the Open Source community.  I've been
> using Samba in various contexts for almost 2 years now and it's been a
> huge benefit to me.  Thank you, Thank you, Thank you!
> I've been using Samba 2.2 as a PDC for a production environment with
> Windows XPP and Windows 2000 Pro clients and serving up a database
> application and Samba does beautifully at this task and has done so
> for more than a year.
> Since I see that with 3.0, Samba now supports Active Directory, it
> occurs to me that I might now be able to use Samba as an emulated
> Windows 2000 Domain Controller (i.e., an Active Directory Domain
> Controller with Kerberos), but perhaps that level of functionality is
> not there yet?  I see in the Samba-HOWTO collection documentation
> (included with the 3.0 stable tarball and dated 21 April 2003) the
> following statements:
> =====================
> The following functionalities are not provided by Samba-3:
>           SAM replication with Windows NT4 Domain Controllers (i.e., a
> Samba PDC and a Windows NT BDC or vice versa). This means Samba cannot
> operate as a BDC when the PDC is Microsoft-based or replicate account
> data to Windows BDCs.
>          Acting as a Windows 2000 Domain Controller (i.e., Kerberos
> and Active Directory). In point of fact, Samba-3 does have some Active
> Directory Domain Control ability that is at this time         purely
> experimental that is certain to change as it becomes a fully supported
> feature some time during the Samba-3 (or later) life cycle. However,
> Active Directory is more then just SMB it's also LDAP, Kerberos, DHCP,
> and other protocols (with proprietary extensions, of course).
> =====================
> But in the official press release I see the following:
> =====================
> Replacement of Windows NT4 ® Domains
> Samba 3.0 contains the first Open Source/Free Software implementation
> of Windows NT Primary and Backup Domain Controller functionality.
> Customers can transparently migrate their existing Windows NT domains
> to Samba 3.0 whilst keeping their existing user and group account
> databases. This enables significant cost of ownership savings over a
> Windows NT4 domain as a Samba 3.0 Domain Controller does not require
> client access licenses. Existing Windows tools can be used to manage a
> Samba PDC, allowing customer Windows expertise to be leveraged in a
> domain migration. A choice of LDAP back-ends allows integration with
> an existing customer directory service.
> Single Sign-on with Active Directory ® Integration   <-----<<<
> Samba 3.0 seamlessly integrates into a Microsoft Active Directory
> domain in both native and mixed mode. Samba 3.0 provides single
> sign-on for UNIX ® / Linux ® clients in an Active Directory
> environment, allowing both servers and clients to transparently use
> Active Directory as an authentication and account source. Domain trust
> relationships are fully supported, allowing Samba 3.0 Controlled
> Domains to integrate easily into any Active Directory environment.
> Complete Integration with Windows Security
> Samba 3.0 fully implements Kerberos 5 authentication, SMB signing for
> tamper-proof file serving sessions, and SCHANNEL security for secure
> remote procedure calls. Samba 3.0 works "out of the box" with the
> improved security settings of Windows 2003 Domain Controllers.
> =====================
> It looks like the press release contradicts the documentation on at
> least some points (BDC functionality), but then again the docs were
> something like 6 months old.

No, there is no contradiction. No, the documentation is not 6 months old -
they were updated immediately before 3.0.0 shipped. Your assumptions may
extrapolate a little too far!

> So, my fundamental question is:
> Can Samba 3.0 act as a Windows 2000 Domain Controller (i.e., an Active
> Directory Domain Controller with Kerberos)?

No! As stated in the HOWTO, Samba-3.0.0 can NOT act as a ADS DC. It can
act as a member server in an AD environment, but Samba can not act as an
ADS. Samba can also NOT act as an ADDC in an ADS environment.

> I already have an MIT Kerberos 1.3 installation on my network that is
> working fine with Mac OS X and Linux kerberos authentication, but I
> seem to have discovered something rather important about Microsoft
> Window XPP and kerberos authentication: it seems only to work with
> Microsoft Windows 2000 Server and Microsoft Windows 2003 Server---not
> with an MIT unix kerberos Key Distribution Center (KDC).

Correct. MS XPP/200x all use proprietary protocol extensions for Kerberos
and use LDAP over Kerberos - neither or which are supported by native MIT
Kerberos, nor is the use of LDAP over Kerberos supported in OpenLDAP.

> I actually found a Microsoft-authored howto on using Windows 2000
> Professional client computers to authenticate against an MIT Kerberos
> KDC, so I just assumed that this functionality would also exist in
> XPP, but I've hunted all over for guidance on how to do it, and I've
> come to the (perhaps premature) conclusion that XPP will not do this.

I am familiar with this MS Document. To say the very least, it aims to
permit UNIX and Linux authentication to integrate with ADS. It is VERY
messy, requires synchronization of /etc/passwd and /etc/group information
(ie: you must have entries in each for all ADS accounts), and is extremely
human resource intensive from an administration and maintenance

> So I'm hoping that Samba 3.0 combined with a functional MIT Kerberos
> 1.3 system _would_ allow me to use the wonderful kerberos protocol to
> authenticate my Windows XPP client machines without investing the $$$$
> in a M$ Windows 2000 Server or 2003 Server with per client licensing
> and all that stuff.

This does NOT work today. This was clearly (I believe) stated in the

> Is there any hope for doing this with Samba 3.0?  If not...  <sigh>
> then I'll just make do with Samba 3.0 as my NT4 PDC for authenticating
> my XPP client machines, but I'd really like to use kerberos if at all
> possible (and not use M$ Windows 200x Server).

I find necessity to repeat time and again: Samba-3.0.0, plus LDAP and
Kerberos is NOT the same as Windows 200x ADS + DC operation. It can not be
done. You can run Samba-3.0.0 only as a replacement for an NT4 PDC/BDC -
but even then - NOT in admixture. ie: No Samba-3.0.0 PDC and NT4 BDC (or
vica versa). Is that clear enough yet?

> If this functionality _is_ built into Samba 3.0, can anyone point me
> to documentation on setting it up?  I find none in the ORA book, the
> Samba-HOWTO-Collection (though they don't seem to accurately document
> everything about the newest 3.0 stable release from just last
> month---understandable as documentation must follow the coding
> itself), etc.

What is inaccurate please? I am ready to fix it!

> Thanks in advance, and again, many thanks to the Samba Team for
> creating a terrific software suite!

- John T.
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list