[Samba] samba server with two kerberos realms

Chad William Seys cwseys at physics.wisc.edu
Tue Mar 1 23:16:33 UTC 2016

Hi Rowland,

> Are you using sssd or nslcd ?

I am using sssd.  I can ssh into the server using credentials from either 
kerberos realm.
ssh cwseys at PHYSICS.WISC.EDU@smb01.physics.wisc.edu
ssh seys at AD.WISC.EDU@smb01.physics.wisc.edu

PHYSICS.WISC.EDU is an MIT kerberos KDC.
AD.WISC.EDU is a active directory KDC (etc).

The reason I thought sssd would be best is because I want to use the 
/etc/passwd file for user existence and was easy to set up.

If sssd is not going to work for the overall goal of being able to use 
credentials from either Kerberos realm to authenticate, then I'm happy to 
ditch it!
> Also on a domain member (this is what you have), you cannot use ' unix
> password sync', mainly because you can have users etc in AD or in
> /etc/passwd, but not both.

I thought as much, but also did not remove this default from the smb.conf as 
yet.  There are other mechanisms for changing passwords in the two Kerberos 

> To answer your original question, no I don't think you can have two
> 'Realms'. What you can have are trusts, I suggest you start here to see
> how to setup smb.conf correctly:
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

I did not see anything useful for setting up authentication to multiple 
Kerberos realms or multiple trusts.

>Sorry but it isn't a standalone server.
>> # testparm
>> Load smb config files from /etc/samba/smb.conf
>> Processing section "[generic]"
>> Loaded services file OK.
>> Server role: ROLE_DOMAIN_MEMBER

Hmm, I also have 'server role = standalone server' in the config file, but I 
guess that has been overridden.

I have run 'net ads join -U myADUser' when REALM=AD.WISC.EDU .

It looks like 'net ads join' adds a machine principal into the AD.WISC.EDU 
kerberos database and into the local machine's keytab. What other config does 
it change?

Does 'net ads join' also override the 'server role =' in smb.conf and this 
explains why 'Server role ROLE_DOMAIN_MEMBER' instead of standalone?

Thanks for the help!

More information about the samba mailing list