[Samba] Location of KDC Principal Database on AD-DC

Andrew Bartlett abartlet at samba.org
Tue Mar 19 07:55:55 UTC 2019

On Tue, 2019-03-19 at 02:20 -0500, Mike Ruebner via samba wrote:
> Does the built-in Samba 4.5 Heimdal KDC use a principal database, or
> is everything Kerberos stored in LDAP? I am trying to add a
> service/host alias via 'kadmin.heimdal -l' but a database 'dump'
> results in 'hdp_open: opening /var/lib/heimdal-kdc/heimdal: No such
> file or directory'.
> I know just enough Kerberos to be dangerous, so some background on
> what I am trying to achieve:
> Two sites with one Samba 4.5 (Debian) AD-DC each. Our users expect to
> find their redirected folders and assorted shares under the same
> alias for separate file servers at each location.

This isn't possible with AD.

>  On the DNS side, this is being handled by an external zone file on
> each DC to keep A records from being AD replicated. Of course, out of
> the window goes Kerberos auth for file server access, because I
> cannot have principal aliases in LDAP w/o (unwanted) replication.
> It looks like Heimdal allows for principal aliases to be added
> directly to the database via kadmin's 'modify' command. My hope is
> that this will keep aliases away from replication. A nice-to-have
> would be to eliminate DNS lookups completely and let the KDC handle
> name resolution on it's own.
> Is this something that can be done?

Not via Kerberos.  The principal database as you describe it is the AD
DC's sam.ldb, and is replicated.

There may be other technologies you can use (perhaps MSDFS redirects
somehow), but not Kerberos. 


Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list