[Samba] Samba4 + Kerberos cross-realms + ldap
Mauricio Tavares
raubvogel at gmail.com
Tue Jun 28 03:12:24 MDT 2011
On 06/17/2011 02:00 AM, Andrew Bartlett wrote:
> On Tue, 2011-06-14 at 12:49 -0400, Mauricio Tavares wrote:
>> Quick and easy question: I have a network which already has its
>> own kerberos + ldap servers running and I want to setup a samba4 box
>> as AD. So, from conversations here and on irc, the best thing to do is
>> to setup the samba4's built-in kerberos to do cross-realm
>> authentication with the other kerberos server. Now, how would those
>> crossed users look like in samba? Or, how would they be created in the
>> samba4 ldap so they would have, among other things, a local home
>> directory (or wherever the homedir; it just have to be in a place
>> samba can find, know what to do with it, and do it) which would the be
>> exported?
>
> I realise it's not a great answer, but currently we don't support
> cross-realm trusts. We have some of the parts (they are being used for
> IPA), but I would not make any assumptions about it being fully working
> for what you need. In particular, for the Microsoft modal, we should
> find the 'local' account for the principal and make up a PAC, none of
> which we do.
>
Oh lovely. So I guess Samba 4 is out of question for me unless I want
to move all of our authentication/authorization stuff that works fine
with out Linux, Solaris, and OSX systems to Samba 4. And that is just
not happening for many reasons.
This was the entire reason I went with it: I was hoping that somehow I
would be able to sync it with our established kerberos/ldap setup. All I
needed was just the kerberos part to work across realms. I should have
read this reply a week ago.
> As to extending the Samba4 schema, this is a great option, except that a
> number of users have reported various issues here, which we are yet to
> resolve.
>
> Andrew Bartlett
>
More information about the samba
mailing list