[Samba] Kerberos with delegated domain

Robert LeBlanc robert at leblancnet.us
Fri May 29 20:33:22 GMT 2009

Ok, here is the set-up. We have a domain that is the main domain, it handles
DHCP and DNS for domain.edu. The DNS for domain.edu has NS records to
delegate domain.local to our Active Directory.

I am able to bind a machine just fine to the Active Directory without having
to change any of the client DNS settings (which poing to domain.edu). File
services work fine. I'm trying to work out single sign-on with OpenSSH
server. I can get it working to itself just fine using either hostname,
hostname.domain.local and hostname.edu where hostname is the name of the
machine that is sshing to itself. When I have two machines set-up exactly
the same, it doesn't work.

I've sniffed the traffic and I can see that Kerberos goes through both
domains looking for a principle that matches. The problem is that the
reverse DNS always sends back hostname.domain.edu, but the service
principles are hostname.domain.local. I'm guessing Kerberos uses the rDNS to
generate the service principle.

Is there some way to have winbind register both FQDNs as service principals
automatically on join? If not, how would I add a service principal to the
keytab that winbind generates? Or, how can I get Kerberos to use the short
version of principal that does not include domain.[edu|local]. I'mreally new
to Kerberos at this level and I've spent about a week getting this far.


More information about the samba mailing list