[Samba] samba server with two kerberos realms

Rowland penny rpenny at samba.org
Wed Mar 2 09:07:17 UTC 2016 

On 01/03/16 23:16, Chad William Seys wrote:
> Hi Rowland,
>
>> Are you using sssd or nslcd ?
> I am using sssd.  I can ssh into the server using credentials from either
> kerberos realm.
> E.g.
> ssh cwseys at PHYSICS.WISC.EDU@smb01.physics.wisc.edu
> (works)
> ssh seys at AD.WISC.EDU@smb01.physics.wisc.edu
> (works)
>
> PHYSICS.WISC.EDU is an MIT kerberos KDC.
> AD.WISC.EDU is a active directory KDC (etc).
>
> The reason I thought sssd would be best is because I want to use the
> /etc/passwd file for user existence and was easy to set up.

You cannot have the same user in /etc/passwd and AD i.e. user 'foo' in 
/etc/passwd could, and probably would, be seen as the the AD user 'foo'.

>
> If sssd is not going to work for the overall goal of being able to use
> credentials from either Kerberos realm to authenticate, then I'm happy to
> ditch it!

I am not saying that sssd won't work for what you are trying to do, you 
are just asking this in the wrong place, try the sssd-users mailing list.

>   
>> Also on a domain member (this is what you have), you cannot use ' unix
>> password sync', mainly because you can have users etc in AD or in
>> /etc/passwd, but not both.
> I thought as much, but also did not remove this default from the smb.conf as
> yet.  There are other mechanisms for changing passwords in the two Kerberos
> realms.
>
>> To answer your original question, no I don't think you can have two
>> 'Realms'. What you can have are trusts, I suggest you start here to see
>> how to setup smb.conf correctly:
>>
>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> I did not see anything useful for setting up authentication to multiple
> Kerberos realms or multiple trusts.

To be honest, I have never needed to do this, but I don't think you 
actually authenticate to both kerberos realms, you just setup a trust 
between the two realms, try a search on the internet using 'active 
directory' and 'trusts'.

>
>> Sorry but it isn't a standalone server.
>>
>>> # testparm
>>> Load smb config files from /etc/samba/smb.conf
>>> Processing section "[generic]"
>>> Loaded services file OK.
>>> Server role: ROLE_DOMAIN_MEMBER
> Hmm, I also have 'server role = standalone server' in the config file, but I
> guess that has been overridden.

Just adding 'server role' to a machine you have joined to a domain isn't 
going to make it a standalone server. The definition of a 'standalone 
server' is a server that is not connected to a domain and holds it own 
database of users, groups etc.


>
> I have run 'net ads join -U myADUser' when REALM=AD.WISC.EDU .
>
> It looks like 'net ads join' adds a machine principal into the AD.WISC.EDU
> kerberos database and into the local machine's keytab. What other config does
> it change?

It probably creates a keytab.

>
> Does 'net ads join' also override the 'server role =' in smb.conf and this
> explains why 'Server role ROLE_DOMAIN_MEMBER' instead of standalone?

Yes

Rowland

> Thanks for the help!
> Chad.
>

More information about the samba mailing list