[Samba] Deploying Samba AD into Windows / Linux / OpenLDAP / Kerberos network
robert at marcanoonline.com
Fri Jan 29 15:35:12 UTC 2021
On 1/29/21 10:12 AM, Rowland penny via samba wrote:
> On 29/01/2021 14:04, Robert Marcano via samba wrote:
>> On 1/29/21 9:54 AM, Rowland penny via samba wrote:
>>> On 29/01/2021 13:15, Mike via samba wrote:
>>>> * Kerberos: This is probably the big one. One would expect a user
>>>> to be
>>>> able to log into either a Linux or Windows box. Is there a neat way to
>>>> use the same accounts? Can Samba use the existing Kerberos
>>>> infrastructure and indeed should it?
>>> Samba could use an existing KDC, but it wouldn't be AD
>>>> I've read that MIT kerberos
>>>> support in Samba is experimental, does this mean "it works but we
>>>> wouldn't want to stake our reputations on it" or "it doesn't work"?
>>> It does work, but not as fully as the built in Heimdal kerberos,
>>> there are several big problems, hence 'experimental'.
>> I am under the impression that the MIT backend for Samba AD support
>> (the embeeding on a KDC inside Samba) is the one that is experimental,
>> not basic non AD DC server support.
>> I use RHEL/CentOS/Fedora MIT based Samba as non DC servers with
>> Kerberos without problems.
> I never said that you couldn't use MIT with Samba, just that the use of
> it with a Samba AD DC is experimental.
And I am claryfing that is not WITH a Samba AD DC, but AS a Samba AD DC.
it works fine as a joined server or as a server of an existing non AD
Kerberos domain , it is even supported against a Windows based AD DC as
Quoting the wiki:
"On an Active Directory (AD) domain controller (DC), Samba uses an
external application to provide Kerberos support. In version 4.6 and
earlier, Samba only supported the Heimdal Kerberos implementation for
the Key Distribution Center (KDC)."
The experimental bits are only for the KDC, a non AD DC Samba server
with MIT Kerberos should be fine.
More information about the samba