[Samba] samba server with two kerberos realms

Rowland penny rpenny at samba.org
Wed Mar 2 09:07:17 UTC 2016

On 01/03/16 23:16, Chad William Seys wrote:
> Hi Rowland,
>> Are you using sssd or nslcd ?
> I am using sssd.  I can ssh into the server using credentials from either
> kerberos realm.
> E.g.
> ssh cwseys at PHYSICS.WISC.EDU@smb01.physics.wisc.edu
> (works)
> ssh seys at AD.WISC.EDU@smb01.physics.wisc.edu
> (works)
> PHYSICS.WISC.EDU is an MIT kerberos KDC.
> AD.WISC.EDU is a active directory KDC (etc).
> The reason I thought sssd would be best is because I want to use the
> /etc/passwd file for user existence and was easy to set up.

You cannot have the same user in /etc/passwd and AD i.e. user 'foo' in 
/etc/passwd could, and probably would, be seen as the the AD user 'foo'.

> If sssd is not going to work for the overall goal of being able to use
> credentials from either Kerberos realm to authenticate, then I'm happy to
> ditch it!

I am not saying that sssd won't work for what you are trying to do, you 
are just asking this in the wrong place, try the sssd-users mailing list.

>> Also on a domain member (this is what you have), you cannot use ' unix
>> password sync', mainly because you can have users etc in AD or in
>> /etc/passwd, but not both.
> I thought as much, but also did not remove this default from the smb.conf as
> yet.  There are other mechanisms for changing passwords in the two Kerberos
> realms.
>> To answer your original question, no I don't think you can have two
>> 'Realms'. What you can have are trusts, I suggest you start here to see
>> how to setup smb.conf correctly:
>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> I did not see anything useful for setting up authentication to multiple
> Kerberos realms or multiple trusts.

To be honest, I have never needed to do this, but I don't think you 
actually authenticate to both kerberos realms, you just setup a trust 
between the two realms, try a search on the internet using 'active 
directory' and 'trusts'.

>> Sorry but it isn't a standalone server.
>>> # testparm
>>> Load smb config files from /etc/samba/smb.conf
>>> Processing section "[generic]"
>>> Loaded services file OK.
>>> Server role: ROLE_DOMAIN_MEMBER
> Hmm, I also have 'server role = standalone server' in the config file, but I
> guess that has been overridden.

Just adding 'server role' to a machine you have joined to a domain isn't 
going to make it a standalone server. The definition of a 'standalone 
server' is a server that is not connected to a domain and holds it own 
database of users, groups etc.

> I have run 'net ads join -U myADUser' when REALM=AD.WISC.EDU .
> It looks like 'net ads join' adds a machine principal into the AD.WISC.EDU
> kerberos database and into the local machine's keytab. What other config does
> it change?

It probably creates a keytab.

> Does 'net ads join' also override the 'server role =' in smb.conf and this
> explains why 'Server role ROLE_DOMAIN_MEMBER' instead of standalone?



> Thanks for the help!
> Chad.

More information about the samba mailing list