[Samba] Deploying Samba AD into Windows / Linux / OpenLDAP / Kerberos network

Robert Marcano robert at marcanoonline.com
Fri Jan 29 15:35:12 UTC 2021


On 1/29/21 10:12 AM, Rowland penny via samba wrote:
> On 29/01/2021 14:04, Robert Marcano via samba wrote:
>> On 1/29/21 9:54 AM, Rowland penny via samba wrote:
>>> On 29/01/2021 13:15, Mike via samba wrote:
>>>> * Kerberos: This is probably the big one.  One would expect a user 
>>>> to be
>>>> able to log into either a Linux or Windows box.  Is there a neat way to
>>>> use the same accounts?  Can Samba use the existing Kerberos
>>>> infrastructure and indeed should it?
>>>
>>>
>>> Samba could use an existing KDC, but it wouldn't be AD
>>>
>>>
>>>>    I've read that MIT kerberos
>>>> support in Samba is experimental, does this mean "it works but we
>>>> wouldn't want to stake our reputations on it" or "it doesn't work"?
>>>
>>>
>>> It does work, but not as fully as the built in Heimdal kerberos, 
>>> there are several big problems, hence 'experimental'.
>>
>> I am under the impression that the MIT backend for Samba AD support 
>> (the embeeding on a KDC inside Samba) is the one that is experimental, 
>> not basic non AD DC server support.
>>
>> I use RHEL/CentOS/Fedora MIT based Samba as non DC servers with 
>> Kerberos without problems.
> 
> 
> I never said that you couldn't use MIT with Samba, just that the use of 
> it with a Samba AD DC is experimental.

And I am claryfing that is not WITH a Samba AD DC, but AS a Samba AD DC. 
it works fine as a joined server or as a server of an existing non AD 
Kerberos domain , it is even supported against a Windows based AD DC as 
a member.

Quoting the wiki:

https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC#Experimental_Feature

"On an Active Directory (AD) domain controller (DC), Samba uses an 
external application to provide Kerberos support. In version 4.6 and 
earlier, Samba only supported the Heimdal Kerberos implementation for 
the Key Distribution Center (KDC)."

The experimental bits are only for the KDC, a non AD DC Samba server 
with MIT Kerberos should be fine.

> 
> Rowland
> 
> 
> 
> 




More information about the samba mailing list