[Samba] Deploying Samba AD into Windows / Linux / OpenLDAP / Kerberos network

Rowland penny rpenny at samba.org
Fri Jan 29 13:54:24 UTC 2021

On 29/01/2021 13:15, Mike via samba wrote:
> * Kerberos: This is probably the big one.  One would expect a user to be
> able to log into either a Linux or Windows box.  Is there a neat way to
> use the same accounts?  Can Samba use the existing Kerberos
> infrastructure and indeed should it?

Samba could use an existing KDC, but it wouldn't be AD

>    I've read that MIT kerberos
> support in Samba is experimental, does this mean "it works but we
> wouldn't want to stake our reputations on it" or "it doesn't work"?

It does work, but not as fully as the built in Heimdal kerberos, there 
are several big problems, hence 'experimental'.

> Would a better approach be to allow Samba to manage its own Kerberos and
> create the users in MIT kerberos and use cross-realm authentication to
> make the users available to Linux and AD (does this work)?

I would just let Samba be the KDC, there really is no point to two KDC's 
in a home network.

> I guess this boils down to two questions:
> 1) Should one just install Samba AD and let it handle its own stuff or
> should one aim to backend it all with my existing BIND/LDAP/Kerberos?

Oh yes, just install Samba, after that you don't need the separate servers.

> 2) How should one set it up so that one can create a user that can
> seamlessly log into both Linux and Windows hosts?
Windows will just use the users & groups in AD (after you join to the 
domain) and you just install Samba on the Linux hosts and configure it 
as a Unix domain member.

Any questions, just ask 😁


More information about the samba mailing list