[Samba] Samba AD DC autenticated by non-AD Kerberos (~ Re: Samba authentication using non-AD Kerberos?)

Andrew Bartlett abartlet at samba.org
Sat Apr 22 08:25:24 UTC 2017

On Thu, 2017-04-20 at 10:42 -0600, S P Arif Sahari Wibowo via samba
> On 2017-04-20, 07:46, Rowland Penny via samba wrote:
> > I don't think you can.
> It will be very sad if that's the case, since it means Samba is 
> not adequate tool for this purpose. If we need to manage 
> separate passwords database anyway, no difference than just have 
> the Windows support person setup a Windows box to do the file 
> sharing.
> I was hoping to convince decission maker to use Samba with real 
> advantage to integrate with main LDAP/Kerberos ID management 
> infrastructure. It will be sad to see that this is something 
> that cannot be done by FOSS community.

Please avoid the 'moral blackmail' implication.  Perhaps it was not
your intention, but occasionally we get folks who come here with a
sense that somehow Samba or the Free Software world is poorer if their
use case isn't addressed.  That is, it feels like we are being goaded
into providing an answer or fix, and that isn't nice.

Please do use Samba where it works well for your use case, were it fits
how you like to run your network, whether practically, ethically or

> > just what do you need to get to work with AD,
> The LDAP/Kerberos is already established - extensively used and 
> secured - so it won't go anywhere. I want to use Samba but it 
> has to be integrated into existing authentication mechanism.

This wasn't at all clear in your original message.  It does help to
have the full context.  It isn't nearly as common as pure AD, but you
can run Samba as I described, for clients that have a Kerberos ticket.

Environments such as you describe should already have established
procedures for extracting a keytab for a new service, so follow those
for that part, and configure Samba as I instructed, with
'security=user' and 'use kerberos keytab = system keytab'.

However, this won't kerberise Windows or MacOS clients that were not
already kerberised by some other means.  Windows clients are the
hardest in this context. 

I don't think your IO_TIMEOUT message you mentioned is the last word on
this.  You should first get Samba working with a local passdb (eg set a
password for the users with smbpasswd -a) file, then move to Kerberos
once you get that working. 

I hope this helps clarify things. 

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list