[Samba] Samba 4.2.15 and MIT Kerberos External Authentication

Rowland Penny rpenny at samba.org
Wed Apr 9 13:05:21 UTC 2025 

On Wed, 9 Apr 2025 08:36:16 -0400
igor noredinoski via samba <samba at lists.samba.org> wrote:

> >
> > It sounded like you had set up Samba as an AD DC using MIT instead
> > of Hiemdal until here, now I am not so sure. It sounds like you
> > have an existing Kerberos realm and you are trying to get a Samba
> > AD DC to auth from that, if that is the case, then that is not how
> > you are supposed to do it.
> >
> > If you want to see how to set up a DC with MIT, then the easiest
> > way is to do it on the latest fedora, their Samba AD DC uses MIT by
> > default.
> >
> > Rowland
> >
> >
> Yes this is correct. I am following the doc as per below. I build
> samba and upgraded krb5 to the required level needed to build with
> --with-experimental-mit-ad-dc
> 
> https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
> 
> My understanding is, this *may* work with experimental.

If you are going to replace Heimdal with MIT on a Samba AD DC, you do
just that, you replace the kerberos server, you do not use an already
running MIT kdc. Due to a few differences (which over time have been
reduced) using MIT as the kdc is still classed as experimental.

> The local on
> site domain is a realm that has a list of usernames and samba
> accounts but authentication is off loaded onto an external realm and
> there is a one way trust relationship where the local samba server
> trusts the external realm -- all that is required is that there is a
> local username and username map on local samba server.

Sorry, but if you are running Samba as an AD DC, it must be the point of
truth, it must hold all the AD records and your AD domain clients must
use it for authentication.

> 
> I adjusted the below settings.
> 
> 
> /usr/local/samba/etc/user.map
> 
> !root = Administrator
> !department-adm = Administrator
> *@DEPARTMENT.LOCAL = %1 at COMPANY.COM

That is only used on a Unix domain member (and you do not really need
it there), it is never used on a Samba AD DC.

> 
> /etc/nsswitch.conf
> 
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> 
> /etc/pam.d/common-auth
> 
> auth required pam_winbind.so
> account required pam_winbind.so
> require_membership_of=DEPARTMENT\\Domain\ Users
> 
> I will check the Fedora docs how they are doing it. Are that if would
> be easier to use Fedora to set this up as its included in their
> stable repos?

Fedora sets up a Samba AD DC using a new MIT kdc.

Rowland

More information about the samba mailing list