[Samba] samba server with two kerberos realms

Chad William Seys cwseys at physics.wisc.edu
Wed Mar 2 20:12:58 UTC 2016

Hi Rowland et al,

> > The reason I thought sssd would be best is because I want to use the
> > /etc/passwd file for user existence and was easy to set up.
> You cannot have the same user in /etc/passwd and AD i.e. user 'foo' in
> /etc/passwd could, and probably would, be seen as the the AD user 'foo'.

The way the system is set up, username existance and UID is determined by 
/etc/passwd .  Then sssd checks whether username/password are correct or not 
with the kerberos servers and retrieves nothing else (from them).

This works fine as I can log in with ssh using username/password from either 
kerberos realms.

> > If sssd is not going to work for the overall goal of being able to use
> > credentials from either Kerberos realm to authenticate, then I'm happy to
> > ditch it!
> I am not saying that sssd won't work for what you are trying to do, you
> are just asking this in the wrong place, try the sssd-users mailing list.

It seems to me that samba is the sticking point.

If REALM=AD.WISC.EDU I can gain access to samba shares with seys at AD.WISC.EDU, 
but not cwseys at PHYSICS.WISC.EDU.

If REALM=PHYSICS.WISC.EDU, cwseys at PHYSICS.WISC.EDU can gain access, but 
seys at AD.WISC.EDU can not.

I change nothing else besides REALM= in smb.conf .

My guess is that Samba is using REALM=BLAH to check only principals in the 
keytab whose realm is BLAH.

So, it seems as though if Samba could be taught to understand a realm list 
REALM=BLAH,FOO,BAR and check principals from all of them in the keytab, then 
my problem would be solved.

> Just adding 'server role' to a machine you have joined to a domain isn't
> going to make it a standalone server. The definition of a 'standalone
> server' is a server that is not connected to a domain and holds it own
> database of users, groups etc.

I hope to use /etc/passwd /etc/groups as the database of user and groups, not 
get them from active directory.

So I guess I'm hoping for semi-joined.  :)

> To be honest, I have never needed to do this, but I don't think you
> actually authenticate to both kerberos realms, you just setup a trust
> between the two realms, try a search on the internet using 'active
> directory' and 'trusts'.

I think this would work, so long as the active directory admins agree to add 
the krbtgt to their database!  Crossing my fingers.

Thanks again!

More information about the samba mailing list