[Samba] Samba & Active Directory w/ Kerberos Trust

Rafferty, Joseph jrafferty at tamu.edu
Thu Nov 1 09:00:20 MDT 2012


I'm having some difficulty understanding the best approach to setting up a samba fileserver in our environment. We have an active directory domain (2008) that has account "stubs" that we use for security and authorization (the passwords are unknown/random). This domain has a one-way Kerberos trust to an MIT Kerberos realm that we use for authentication. The user accounts are name-mapped to the corresponding principal name in the kerberos/authentication realm. I had planned to net join the server to the active directory realm for user and group resolution, but configure PAM to use pam_krb5 for authentication instead of winbind. However, it appears to me that, by design, Samba is not able to authenticate and authorize in two different realms this way for the following reason:

"Samba always ignores PAM for authentication in the case of encrypt passwords = yes<http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#ENCRYPTPASSWORDS>"

Setting "encrypt passwords = no" results in the following testparm error:
ERROR: in 'security=domain' mode the 'encrypt passwords' parameter must always be set to 'true'.

Anyone successfully authenticating this way?

Thanks for the help!


log file = /var/log/samba/log.%m
log level = auth:3
max log size = 50
security = ads
netbios name = SERVERNAME
realm = AD.DOMAIN.EDU<http://ad.domain.edu/>
password server = dc.ad.domain.edu<http://dc.ad.domain.edu/>
workgroup = AD
idmap uid = 10000-5000000
idmap gid = 10000-5000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
obey pam restrictions = yes

More information about the samba mailing list