[Samba] ADS mode / MIT realm trust problem (3.0.20b)

Aaron Grewell AGrewell at uwb.edu
Tue Nov 29 18:18:19 GMT 2005

> > To reiterate -- we have a 'working' Samba server for the ADS domain of
> > which it is a member -- it just doesn't authenticate users who present
> > credentials from the MIT realm trusted by that domain which are mapped
> > in the AD of the member domain to AD accounts when the credentials are
> > presented by Windows clients.
> I have not addressed this type of configuration in any of the official 
> documentation as I consider this to be well outside of normal scope. If 
> someone is willing to contribute a chapter on Kerberos to ADS integration 
> involving Samba this will be most welcome.

This configuration is not as uncommon as it may seem.  Many universities
have existing Kerberos implementations and use Microsoft's 'AltSecID'
setup to map SIDs to Kerberos Realm userid's in order to maintain single
sign-on.  We do this quite often at UW.  I didn't think Samba supported
this configuration at all, so I've never actually tried to make it work.
Are you saying it ought to work?

More information about the samba mailing list