[Samba] Samba AD DC authenticated by external Kerberos (~ Re: Samba authentication using non-AD Kerberos?)

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Apr 27 14:35:25 UTC 2017

I currently have the following configuration:

  * My "authentication" servers are  Samba 4 "classic" domain controllers.
  * Samba uses LDAP backend (specifically Oracle Directory Server.)    
    The user accounts have both unix and samba attributes.
  * The authentication servers are also configured as Oracle Solaris 
    kerberos KDC's.     The kerberos principal and password data is
    also  stored in LDAP.

Active directory doesn't play a role.

The result is that one user account can be used to authenticate windows 
clients (joined to the domain) and unix clients (using kerberos)   and 
internal web sites that use LDAP authentication. The catch is that each 
user actually has 3 passwords (one for kerberos, one for windows, one 
for ldap.)    The work around is to have the samba password sync script 
change ldap and kerberos passwords at the same time a user changes his 
or her windows password.       Unix users will use the smbpasswd command 
to change passwords.

Since I have Oracle KDC with Oracle LDAP server on Oracle Solaris OS, 
integrating kerberos and LDAP is not that difficult.   You still use 
kadmin to manage kerberos principals.  Having kerberos data in LDAP 
makes replicating data between multi-master KDC's much easier.

On 04/27/17 09:22, S P Arif Sahari Wibowo via samba wrote:
> On 2017-04-27, 07:13, Gaiseric Vandal via samba wrote:
>> A Samba AD directory server (domain controller) is its own kerberos 
>> server. I don't see how you could configure it to use another KDC.
> I don't know Kerberos much, so I am wondering can something like this 
> "delegated"?
>> Depending on how may computers in your environment, it may be easier 
>> to have the non-AD Kerberos clients use to the Samba DC as the KDC.
> Definitely not easier in my case. The current OpenLDAP & Kerberos 
> server will definitely stay and most services will still use it. I 
> need to get a way for MS Windows to mount shares from my server using 
> credentials from existing OpenLDAP & Kerberos authentication system.
> Thank you.

More information about the samba mailing list