[Samba] Samba & Active Directory w/ Kerberos Trust

Andrew Bartlett abartlet at samba.org
Mon Nov 5 13:09:08 MST 2012

On Mon, 2012-11-05 at 19:58 +0000, Rafferty, Joseph wrote:
> Hi Andrew, thanks for the reply.
> Presently, my configuration (as shown) works great for user accounts with known passwords within the active directory domain (very few of these - mostly admin, service, & test accounts). The issue lies when trying to use upn-mapped user accounts. Active directory is not supposed to be the authentication authority for those accounts, so when they're created (via some script - not in my control), the passwords are long randomly-generated strings. However, because of the Kerberos trust and UPN mapping, a user can masq as that AD user with a valid TGT from the trusted realm.
> Trying to login as one of the mapped users: NT_STATUS_LOGON_FAILURE
> Regarding the PAC: the trusted realm is MIT Kerberos. I think there are plans to mirror this in an AD domain somewhere, but I haven't heard anything more on this.

I *think* the idea with this kind of trust/mapping thing is that 'AD'
servers (like Samba) get a ticket that includes the PAC, even if the
initial user came from MIT. 

That's pretty much the only way we can work, if we are to get the
windows groups etc.  You will need to dig in further into why we return
LOGON_FAILURE with a higher log level and our debug logs.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list