Running a Samba AD DC with MIT Kerberos KDC

From SambaWiki
Jump to: navigation, search


On an Active Directory (AD) domain controller (DC), Samba uses an external application to provide Kerberos support. In version 4.6 and earlier, Samba only supported the Heimdal Kerberos implementation for the Key Distribution Center (KDC). For this reason, vendors of operating systems that only support MIT Kerberos could not provide packages with AD DC-capabilities. On these operating systems you can build Samba or use 3rd-party packages with AD DC support to set up a DC, but Samba can not be fully integrated into operating systems that use MIT Kerberos.

Samba 4.7 and later supports building Samba with MIT Kerberos. Distributions, which previously did not provide AD DC-aware Samba packages because they use MIT Kerberos, are now able to provide such packages. For details about migrating a Samba DC, for example, from self-compiled to packages, see Migrating a Samba Installation.

Use this documentation, if you want to:

  • Build Samba with MIT Kerberos back end and set up a new AD DC.
  • Migrate a Heimdal Kerberos-based Samba DC installation to MIT Kerberos back end.

Known Limitations of MIT Kerberos Support in Samba

Samba DCs with MIT Kerberos KDC currently do not support:

  • PKINIT support required for using smart cards
  • Service for User to Self-service (S4U2self)
  • Service for User to Proxy (S4U2proxy)
  • Running as a Read only domain controller (RODC)

Building Samba with MIT Kerberos Support

To enable MIT Kerberos support when you build Samba:

  • Pass the --with-system-mitkrb5 option to the configure script when you build Samba. For further details on building Samba, see Build Samba from Source.

Verifying if Samba Has Been Built with MIT Kerberos Support

To verify if Samba has been built with MIT Kerberos support, enter:

# smbd -b | grep HAVE_LIBKADM5SRV_MIT

If no output is displayed, Samba was compiled without MIT Kerberos support and uses Heimdal Kerberos.

Configuring the MIT KDC on a new DC

When you provision a new DC or join a DC to an existing AD, samba-tool automatically creates the /usr/local/samba/private/kdc.conf file. No further action is required.

The kdc.conf file is stored in Samba's private directory. To locate this directory:

# smbd -b | grep "PRIVATE_DIR"
  PRIVATE_DIR: /usr/local/samba/private/

Migrating a DC That Previously Used the Heimdal KDC

If you previously ran a DC that used the Heimdal KDC and want to migrate the DC to use MIT Kerberos:

  • Build Samba with MIT Kerberos support using the same installation directories. For details, see Building Samba with MIT Kerberos Support.
  • Install the MIT Kerberos-aware Samba over your existing installation.
  • Manually create the kdc.conf file:
  • Locate the path to the Samba private directory:
# smbd -b | grep "PRIVATE_DIR"
  PRIVATE_DIR: /usr/local/samba/private/
In a later step you will create the kdc.conf in this directory.
  • Locate the path to the Samba modules directory:
# smbd -b | grep "MODULESDIR"
  MODULESDIR: /usr/local/samba/lib/
The Kerberos database module is stored in the krb5/plugins/kdb/ subdirectory of the modules directory. In the previous example, the file is located in the /usr/local/samba/lib/krb5/plugins/kdb/ directory. In the next step, set the db_module_dir parameter in the kdc.conf file to this directory.
  • Create the kdc.conf in the Samba private directory. For example, in /usr/local/samba/private/kdc.conf.
       kdc_ports = 88
       kdc_tcp_ports = 88
       kadmind_port = 464

       } = {

       SAMDOM = {

       # Set the following parameter to the directory
       # that contains the database module:
       db_module_dir = /usr/local/samba/lib/krb5/plugins/kdb/

               db_library = samba
       } = {
               db_library = samba

       SAMDOM = {
               db_library = samba

       kdc = FILE:/var/log/samba/mit_kdc.log
       admin_server = FILE:/var/log/samba/mit_kadmin.log

Verifying that Samba uses the MIT Kerberos KDC

When you start the samba service, the process automatically starts the krb5kdc MIT Kerberos KDC.

To verify that the krb5kdc is a subprocess of the samba process, use the ps utility:

 1306 ?        Ss     0:00 samba -D
 1307 ?        S      0:00  \_ samba -D
 1315 ?        S      0:00  |   \_ samba -D
 1319 ?        Ss     0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 ...                        |
 1313 ?        S      0:00  \_ samba -D
 1316 ?        S      0:00  |   \_ samba -D
 1322 ?        S      0:00  |       \_ /usr/sbin/krb5kdc -n

Debugging Samba With MIT Kerberos Support

To debug Kerberos-related problems, see the following log files:

  • Samba logs to the file set in the log file parameter in your smb.conf file. For further details about logging in Samba and how to increase the log level, see Configuring Logging on a Samba Server.
  • The MIT KDC logs to the file set in the kdc and admin_server paramter in the kdc.conf file. To increase the log out, see the kdc.conf(5) man page.