[Samba] Samba4 + Kerberos cross-realms + ldap

Mauricio Tavares raubvogel at gmail.com
Tue Jun 28 03:12:24 MDT 2011

On 06/17/2011 02:00 AM, Andrew Bartlett wrote:
> On Tue, 2011-06-14 at 12:49 -0400, Mauricio Tavares wrote:
>>       Quick and easy question: I have a network which already has its
>> own kerberos + ldap servers running and I want to setup a samba4 box
>> as AD. So, from conversations here and on irc, the best thing to do is
>> to setup the samba4's built-in kerberos to do cross-realm
>> authentication with the other kerberos server. Now, how would those
>> crossed users look like in samba? Or, how would they be created in the
>> samba4 ldap so they would have, among other things, a local home
>> directory (or wherever the homedir; it just have to be in a place
>> samba can find, know what to do with it, and do it) which would the be
>> exported?
> I realise it's not a great answer, but currently we don't support
> cross-realm trusts.  We have some of the parts (they are being used for
> IPA), but I would not make any assumptions about it being fully working
> for what you need.  In particular, for the Microsoft modal, we should
> find the 'local' account for the principal and make up a PAC, none of
> which we do.
	Oh lovely. So I guess Samba 4 is out of question for me unless I want 
to move all of our authentication/authorization stuff that works fine 
with out Linux, Solaris, and OSX systems to Samba 4. And that is just 
not happening for many reasons.

This was the entire reason I went with it: I was hoping that somehow I 
would be able to sync it with our established kerberos/ldap setup. All I 
needed was just the kerberos part to work across realms. I should have 
read this reply a week ago.

> As to extending the Samba4 schema, this is a great option, except that a
> number of users have reported various issues here, which we are yet to
> resolve.
> Andrew Bartlett

More information about the samba mailing list