[Samba] samba server with two kerberos realms

Chad William Seys cwseys at physics.wisc.edu
Wed Mar 2 21:11:46 UTC 2016

> If your users are in /etc/passwd, they are *local* users, if they are
> also in AD, then the *local* user 'foo' is not the same user as 'foo' in AD.

All that matters for authentication on a kerberos KDC is that the correct 
password is given for the username.

Mapping username to UID/GIDs/etc is done by the local computer and access to 
files is allowed or disallowed based on the ACLs in the filesystem.

This is working just fine.

> > This works fine as I can log in with ssh using username/password from
> > either kerberos realms.
> > 
> >>> If sssd is not going to work for the overall goal of being able to use
> >>> credentials from either Kerberos realm to authenticate, then I'm happy
> >>> to
> >>> ditch it!
> >> 
> >> I am not saying that sssd won't work for what you are trying to do, you
> >> are just asking this in the wrong place, try the sssd-users mailing list.
> > 
> > It seems to me that samba is the sticking point.
> No it isn't, you are

Hmm, I agree if by that you mean I am not submitting a patch so that Samba can 
understand a list after REALM= .  :)

> > I hope to use /etc/passwd /etc/groups as the database of user and groups,
> > not get them from active directory.
> Then setup up the server as a 'standalone server' and give it a
> different workgroup name, it well then be a separate WORKGROUP and you
> will then have all the problems that entails including having to keep
> users and passwords in sync with your machines.

Right, that method would be silly b/c we already have everyones' credentials 
in kerberos servers.  Though there is CTDB or other ways of synchronizing tdbs 
as an option.

Sadly, the feature of using two or more Kerberos realms for authentication 
appears not to be implemented by Samba.

> >> To be honest, I have never needed to do this, but I don't think you
> >> actually authenticate to both kerberos realms, you just setup a trust
> >> between the two realms, try a search on the internet using 'active
> >> directory' and 'trusts'.
> > 
> > I think this would work, so long as the active directory admins agree to
> > add the krbtgt to their database!  Crossing my fingers.
> I do not think what you are trying do will work, try talking to your
> active directory admins about *TRUSTS*

Yep, as long as they are agreeable, this appears to be the workaround.

Thanks again!

More information about the samba mailing list