[Samba] ADS mode / MIT realm trust problem (3.0.20b)
John H Terpstra
jht at samba.org
Tue Nov 29 18:24:07 GMT 2005
On Tuesday 29 November 2005 11:18, Aaron Grewell wrote:
> > > To reiterate -- we have a 'working' Samba server for the ADS domain of
> > > which it is a member -- it just doesn't authenticate users who present
> > > credentials from the MIT realm trusted by that domain which are mapped
> > > in the AD of the member domain to AD accounts when the credentials are
> > > presented by Windows clients.
> >
> > I have not addressed this type of configuration in any of the official
> > documentation as I consider this to be well outside of normal scope. If
> > someone is willing to contribute a chapter on Kerberos to ADS integration
> > involving Samba this will be most welcome.
>
> This configuration is not as uncommon as it may seem. Many universities
> have existing Kerberos implementations and use Microsoft's 'AltSecID'
> setup to map SIDs to Kerberos Realm userid's in order to maintain single
> sign-on. We do this quite often at UW. I didn't think Samba supported
> this configuration at all, so I've never actually tried to make it work.
> Are you saying it ought to work?
I have not tried it and thus have no personal knowledge to work from, that's a
key reason I asked for contributed input.
- John T.
More information about the samba
mailing list