[Samba] samba server with two kerberos realms
Chad William Seys
cwseys at physics.wisc.edu
Tue Mar 1 23:16:33 UTC 2016
> Are you using sssd or nslcd ?
I am using sssd. I can ssh into the server using credentials from either
ssh cwseys at PHYSICS.WISC.EDU@smb01.physics.wisc.edu
ssh seys at AD.WISC.EDU@smb01.physics.wisc.edu
PHYSICS.WISC.EDU is an MIT kerberos KDC.
AD.WISC.EDU is a active directory KDC (etc).
The reason I thought sssd would be best is because I want to use the
/etc/passwd file for user existence and was easy to set up.
If sssd is not going to work for the overall goal of being able to use
credentials from either Kerberos realm to authenticate, then I'm happy to
> Also on a domain member (this is what you have), you cannot use ' unix
> password sync', mainly because you can have users etc in AD or in
> /etc/passwd, but not both.
I thought as much, but also did not remove this default from the smb.conf as
yet. There are other mechanisms for changing passwords in the two Kerberos
> To answer your original question, no I don't think you can have two
> 'Realms'. What you can have are trusts, I suggest you start here to see
> how to setup smb.conf correctly:
I did not see anything useful for setting up authentication to multiple
Kerberos realms or multiple trusts.
>Sorry but it isn't a standalone server.
>> # testparm
>> Load smb config files from /etc/samba/smb.conf
>> Processing section "[generic]"
>> Loaded services file OK.
>> Server role: ROLE_DOMAIN_MEMBER
Hmm, I also have 'server role = standalone server' in the config file, but I
guess that has been overridden.
I have run 'net ads join -U myADUser' when REALM=AD.WISC.EDU .
It looks like 'net ads join' adds a machine principal into the AD.WISC.EDU
kerberos database and into the local machine's keytab. What other config does
Does 'net ads join' also override the 'server role =' in smb.conf and this
explains why 'Server role ROLE_DOMAIN_MEMBER' instead of standalone?
Thanks for the help!
More information about the samba