[Samba] Samba AD DC authenticated by external Kerberos (~ Re: Samba authentication using non-AD Kerberos?)

Andrew Bartlett abartlet at samba.org
Thu Apr 27 19:18:11 UTC 2017

On Thu, 2017-04-27 at 07:22 -0600, S P Arif Sahari Wibowo via samba
> On 2017-04-27, 07:13, Gaiseric Vandal via samba wrote:
> > A Samba AD directory server (domain controller) is its own 
> > kerberos server. I don't see how you could configure it to use 
> > another KDC.
> I don't know Kerberos much, so I am wondering can something like 
> this "delegated"?

This is the (unimplemented) 'MIT Trust' I described earlier. 

> > Depending on how may computers in your environment, it may be 
> > easier to have the non-AD Kerberos clients use to the Samba DC 
> > as the KDC.
> Definitely not easier in my case. The current OpenLDAP & 
> Kerberos server will definitely stay and most services will 
> still use it. I need to get a way for MS Windows to mount shares 
> from my server using credentials from existing OpenLDAP & 
> Kerberos authentication system.

Then I don't really see a practical way out.  I'm surprised you lasted
so long into 2017 with the Windows clients unconnected to this system
(this isn't really a Samba issue at this point), but the infinite
variety in IT systems in this world never ceases to amaze me.

I wish you the very best with your deployment, however you choose to
handle it. 

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list