[Samba] kerberos + winbind + AD authentication for samba 4 domain member

Rowland Penny rpenny at samba.org
Tue Oct 31 22:20:14 UTC 2017

On Tue, 31 Oct 2017 22:46:53 +0100
Kacper Wirski via samba <samba at lists.samba.org> wrote:

> Hello,
> I'm setting up AD user logins for centos 7.4 box. I've almost managed
> to do everything the way I want and the way I think it should be, but
> I'm missing last piece:
>    For ssh access I read parts of the 
> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
> Most docs recommend using setting in smb.conf:
> winbind use default domain = no
> that means that all domain users have DOMAIN\ prefix attached. As per 
> the aforementioned wiki documet I made the workaround for
> authentication to krb5.conf, and it works OK.
> What isn't working is "kinit" as-is for logged in AD user. To be more 
> precise: it works if I specify explicitly username
> kinit myusername
> or
> kinit mysusername at MY.DOMAIN.COM
> It works as expected (asks for password and grants ticket)
>   otherwise plain "kinit" uses by default posix username, which in
> this case is DOMAIN\myusername, so it looks for:
> DOMAINmyusername at MY.DOMAIN.COM and fails with no principle found in 
> database (and rightly so), because obviously it should use 
> myusername at MY.DOMAIN.COM.
> I know it's not strictly samba related, and I could simply change
> winbind use default domain = yes
> as a workaround, this way everything works as expected, except that
> in all docs it's described as not recommended setup, because of
> possible confusion which user is from DOMAIN and which is local, and
> of course when multiple domains come into play.
> So maybe someone knows of a valid workaorund, how to force kinit to 
> automatically remove/strip DOMAIN prefix from e.g. 
> DOMAINmyusername at MY.DOMAIN.COM and change it into 
> myusername at MY.DOMAIN.COM? My understanding is that krb5.conf 
> "auth_to_local" works the other way around, so it takes valid
> principal, and rewrites it so that it matches posix user and won't
> work in this case,as it's the other way round (posix user has to be
> translated into valid principal).
> My environment is:
> centos 7.4 OS
> samba 4.5.x is the AD DC
> samba 4.6.9 is domain member server and all tests are done on this
> machine.
> As i said, kerberos overall works fine, and it's not strictly samba 
> issue, but the issue is because of samba configuration and added
> DOMAIN prefix.
> Any help/input/comments are appreciated.
> Regards, Kacper

You have something set up incorrectly, if I log into a Unix domain
member and run 'kinit', it works:

rowland at devstation:~$ whoami
rowland at devstation:~$ kinit
Password for rowland at SAMDOM.EXAMPLE.COM: 
rowland at devstation:~$ 

It also works on a DC.

Can you post the following files:


More information about the samba mailing list