[Samba] Location of KDC Principal Database on AD-DC

Mike Ruebner samba at machichemicals.com
Tue Mar 19 07:20:07 UTC 2019

Does the built-in Samba 4.5 Heimdal KDC use a principal database, or is everything Kerberos stored in LDAP? I am trying to add a service/host alias via 'kadmin.heimdal -l' but a database 'dump' results in 'hdp_open: opening /var/lib/heimdal-kdc/heimdal: No such file or directory'.

I know just enough Kerberos to be dangerous, so some background on what I am trying to achieve:

Two sites with one Samba 4.5 (Debian) AD-DC each. Our users expect to find their redirected folders and assorted shares under the same alias for separate file servers at each location. On the DNS side, this is being handled by an external zone file on each DC to keep A records from being AD replicated. Of course, out of the window goes Kerberos auth for file server access, because I cannot have principal aliases in LDAP w/o (unwanted) replication.

It looks like Heimdal allows for principal aliases to be added directly to the database via kadmin's 'modify' command. My hope is that this will keep aliases away from replication. A nice-to-have would be to eliminate DNS lookups completely and let the KDC handle name resolution on it's own.

Is this something that can be done?

Any pointers, sanity checks, comments greatly appreciated!




More information about the samba mailing list