[Samba] Samba4 + Kerberos cross-realms + ldap

Andrew Bartlett abartlet at samba.org
Fri Jun 17 00:00:00 MDT 2011

On Tue, 2011-06-14 at 12:49 -0400, Mauricio Tavares wrote:
>      Quick and easy question: I have a network which already has its
> own kerberos + ldap servers running and I want to setup a samba4 box
> as AD. So, from conversations here and on irc, the best thing to do is
> to setup the samba4's built-in kerberos to do cross-realm
> authentication with the other kerberos server. Now, how would those
> crossed users look like in samba? Or, how would they be created in the
> samba4 ldap so they would have, among other things, a local home
> directory (or wherever the homedir; it just have to be in a place
> samba can find, know what to do with it, and do it) which would the be
> exported?

I realise it's not a great answer, but currently we don't support
cross-realm trusts.  We have some of the parts (they are being used for
IPA), but I would not make any assumptions about it being fully working
for what you need.  In particular, for the Microsoft modal, we should
find the 'local' account for the principal and make up a PAC, none of
which we do.

As to extending the Samba4 schema, this is a great option, except that a
number of users have reported various issues here, which we are yet to

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list