[Samba] Samba 4.2.15 and MIT Kerberos External Authentication
Rowland Penny
rpenny at samba.org
Wed Apr 9 14:40:53 UTC 2025
On Wed, 9 Apr 2025 09:49:32 -0400
igor noredinoski via samba <samba at lists.samba.org> wrote:
> >>* The local on
> *>>* site domain is a realm that has a list of usernames and samba
> *>>* accounts but authentication is off loaded onto an external realm
> and *>>* there is a one way trust relationship where the local samba
> server *>>* trusts the external realm -- all that is required is that
> there is a *>>* local username and username map on local samba server.
> *
> > Sorry, but if you are running Samba as an AD DC, it must be the
> > point of truth, it must hold all the AD records and your AD domain
> > clients must use it for authentication.
>
> Thank you. In this case what I am attempting to do is use the
> experimental features of the server where the point of truth is the
> Samba ADC for the local domain but the password authentication for
> users is pulled from an external Kerberos realm. What we are trying
> to do is integrate into the corporate Kerberos environment and will
> later try to setup MFA from it.
>
> The end goal is, sysadmin creates a new user account , username only,
> that is created and approved on local Samba ADC. When the user logs
> in, they use their corporate credentials and then also use an MFA
> device such as a smartphone, or what not, to login on the
> workstation. (The MFA integration I will tackle later).
Not sure this is going to work, normally your users etc from domain_A
will have to fully exist on the the domain_A DC, you will then have to
have a trust between domain_A and domain_B, this will then allow users
from one domain to logon via the other, this has nothing to do with the
kerberos kdc.
Rowland
More information about the samba
mailing list