[Samba] ADS mode / MIT realm trust problem (3.0.20b)

John H Terpstra jht at samba.org
Tue Nov 29 18:24:07 GMT 2005

On Tuesday 29 November 2005 11:18, Aaron Grewell wrote:
> > > To reiterate -- we have a 'working' Samba server for the ADS domain of
> > > which it is a member -- it just doesn't authenticate users who present
> > > credentials from the MIT realm trusted by that domain which are mapped
> > > in the AD of the member domain to AD accounts when the credentials are
> > > presented by Windows clients.
> >
> > I have not addressed this type of configuration in any of the official
> > documentation as I consider this to be well outside of normal scope. If
> > someone is willing to contribute a chapter on Kerberos to ADS integration
> > involving Samba this will be most welcome.
> This configuration is not as uncommon as it may seem.  Many universities
> have existing Kerberos implementations and use Microsoft's 'AltSecID'
> setup to map SIDs to Kerberos Realm userid's in order to maintain single
> sign-on.  We do this quite often at UW.  I didn't think Samba supported
> this configuration at all, so I've never actually tried to make it work.
> Are you saying it ought to work?

I have not tried it and thus have no personal knowledge to work from, that's a 
key reason I asked for contributed input.

- John T.

More information about the samba mailing list