[Samba] Samba & Active Directory w/ Kerberos Trust

Andrew Bartlett abartlet at samba.org
Sun Nov 4 20:39:28 MST 2012

On Thu, 2012-11-01 at 15:00 +0000, Rafferty, Joseph wrote:
> Hello,
> I'm having some difficulty understanding the best approach to setting up a samba fileserver in our environment. We have an active directory domain (2008) that has account "stubs" that we use for security and authorization (the passwords are unknown/random). This domain has a one-way Kerberos trust to an MIT Kerberos realm that we use for authentication. The user accounts are name-mapped to the corresponding principal name in the kerberos/authentication realm. I had planned to net join the server to the active directory realm for user and group resolution, but configure PAM to use pam_krb5 for authentication instead of winbind. However, it appears to me that, by design, Samba is not able to authenticate and authorize in two different realms this way for the following reason:
> "Samba always ignores PAM for authentication in the case of encrypt passwords = yes<http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#ENCRYPTPASSWORDS>"
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html
> Setting "encrypt passwords = no" results in the following testparm error:
> ERROR: in 'security=domain' mode the 'encrypt passwords' parameter must always be set to 'true'.
> Anyone successfully authenticating this way?
> Thanks for the help!
> -Joseph
> smb.conf:
> [global]
> log file = /var/log/samba/log.%m
> log level = auth:3
> max log size = 50
> security = ads
> netbios name = SERVERNAME
> realm = AD.DOMAIN.EDU<http://ad.domain.edu/>
> password server = dc.ad.domain.edu<http://dc.ad.domain.edu/>
> workgroup = AD
> idmap uid = 10000-5000000
> idmap gid = 10000-5000000
> winbind separator = +
> winbind enum users = no
> winbind enum groups = no
> winbind use default domain = yes
> obey pam restrictions = yes

What error do you get when you use *just* what you have above?

You should run winbind, and accept kerberos logins from your clients.
We need to be joined to the AD domain.

As long as the tickets contain a PAC, we really don't mind where they
came from. 

Don't try and involve PAM or turn off encrypted passwords, because we
never get a plaintext password from modern clients anyway.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list