[Samba] Minimum footprint for authenticating CIFS shares with Kerberos

Rowland penny rpenny at samba.org
Fri Jan 22 19:56:48 UTC 2021

On 22/01/2021 19:15, Dorian Taylor (Lists) via samba wrote:
> Good day,
> I have a home office network where, because of work, I already have:
> * an LDAP server
> * a Kerberos KDC/admin server
> * a DNS server
You do realise that they are the main components of AD.
> What I am after is a quasi-replacement for the AFS server I just removed after ten years, i.e., I want to access files over a network, and I want to be able to authenticate to that service using Kerberos.
> I followed some instructions to set Samba up as an Active Directory PDC

No such thing, there is an AD DC and an NT4-style PDC, but they are 
totally different things 😁
> , but I didn’t realize, at the outset, that meant spinning up a bunch of its own daemons that are fighting for the same ports a bunch of services are already running on.
I take it you haven't read any AD documentation 😮
> (For what it’s worth, the server is Ubuntu 20.04, which is curiously missing a systemd service definition for the `samba` daemon.)
This is because you now use 'samba-ad-dc' to start the Samba AD DC and 
'smbd', 'nmbd' and 'winbind' to start the daemons for a Unix domain member.
> I suppose my question is: To what extent I can configure Samba to provide just enough material to, for instance, fool a Mac’s native CIFS client into authenticating to a Samba share with Kerberos?

Easy, turn off your ldap server, KDC and DNS server, then start your AD 
DC with 'systemctl start samba-ad-dc', though you will probably have to 
unmask it first.


More information about the samba mailing list