[Samba] How to configure krb5 for multiple domains or domain and its sub-domains

Le, Anh anh.le at cognex.com
Tue Aug 23 13:17:56 MDT 2011

Hi Mauricio,

First of all, thank you for the reply. Secondly, those subdomains are child domains of pc.example.com in windows dns.  And here is my current krb5.conf file.  user at pc.example.com is connecting fine. But not the user at europe.pc.example.com or user at asia.pc.example.com. These users will be prompted for the username and password. By the way we use kerberos with winbind.

        default_realm = PC.EXAMPLE.COM
        dns_lookup_kdc = true
        verify_ap_req_nofail = false
        clockskew = 300

        PC.EXAMPLE.COM = {
                kdc = server1.pc.example.com
                admin_server = server1.pc. example.com
                default_domain = pc. example.com

       .kerberos.server = PC. EXAMPLE.COM
       pc. example.com = PC. EXAMPLE.COM
       .pc. example.com = PC. EXAMPLE.COM

        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/log/kdc.log
        kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

                period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)

                versions = 10

        kinit = {
                renewable = true
                forwardable= true
        gkadmin = {
                help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
Thanks a lot,


-----Original Message-----
From: Mauricio Tavares [mailto:raubvogel at gmail.com] 
Sent: Tuesday, August 23, 2011 12:50 PM
To: samba at lists.samba.org
Subject: Re: [Samba] How to configure krb5 for multiple domains or domain and its sub-domains

On Aug 23, 2011 11:13 AM, "Le, Anh" <anh.le at cognex.com> wrote:
> Hi All,
> I've configured my samba server (3.5.11) working and joined to my 
> domain
pc.example.com. Every user of pc.example.com is able to view the shared folders and files of my samba server without any problem.
> However, the users of my sub-domains Europe.pc.example.com  and
Asia.pc.example.com could not connect and view the shared folders of my samba server. They were prompted for the passwords and it does not accept their passwords when the users entered. I guess it has this problem because my current krb5 is only setup for my main domain pc.example.com.
> I don't know the syntax for the multiple domains or domain and its
sub-domains of krb5.conf file. It will be very appreciated if anyone can help me.
      Are those subdomains as in dns subdomains or samba workgroups/domains?
Are they all supposed to be in the same kerberos realm?

> Thanks a lot,
> Anh.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list