[Samba] Samba 4.2.15 and MIT Kerberos External Authentication
igor noredinoski
igor.noredinoski at gmail.com
Wed Apr 9 12:36:16 UTC 2025
>
> It sounded like you had set up Samba as an AD DC using MIT instead of
> Hiemdal until here, now I am not so sure. It sounds like you have an
> existing Kerberos realm and you are trying to get a Samba AD DC to auth
> from that, if that is the case, then that is not how you are supposed
> to do it.
>
> If you want to see how to set up a DC with MIT, then the easiest way is
> to do it on the latest fedora, their Samba AD DC uses MIT by default.
>
> Rowland
>
>
Yes this is correct. I am following the doc as per below. I build samba and
upgraded krb5 to the required level needed to build with
--with-experimental-mit-ad-dc
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
My understanding is, this *may* work with experimental. The local on site
domain is a realm that has a list of usernames and samba accounts but
authentication is off loaded onto an external realm and there is a one way
trust relationship where the local samba server trusts the external realm
-- all that is required is that there is a local username and username map
on local samba server.
I adjusted the below settings.
/usr/local/samba/etc/user.map
!root = Administrator
!department-adm = Administrator
*@DEPARTMENT.LOCAL = %1 at COMPANY.COM
/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
/etc/pam.d/common-auth
auth required pam_winbind.so
account required pam_winbind.so require_membership_of=DEPARTMENT\\Domain\
Users
I will check the Fedora docs how they are doing it. Are that if would be
easier to use Fedora to set this up as its included in their stable repos?
More information about the samba
mailing list