samba - Apr 2017 - Samba AD DC autenticated by non-AD Kerberos (~ Re: Samba authentication using non-AD Kerberos?)

On Wed, 2017-04-19 at 10:09 -0600, S P Arif Sahari Wibowo via samba
wrote:
> On 2017-04-19, 01:22, Stefan Just via samba wrote:
> > There is a tutorial how to make a Kerberos server to be a 
> > samba server too.
> 
> I don't have option to do changes in the Kerberos server, at 
> least not now. Is that the only way to have samba authenticated 
> from a non-AD Kerberos server to be connectable from MS Windows 
> and macOS clients?
Not windows clients without much pain.  In theory Windows can join a
non-AD KDC, but it is incredibly rarely done.  MacOS should be able to
kinit.

I think you really want to move to Samba as an AD DC.  Everything else
will just be painful in the long run.

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 2017-04-20, 03:35, Andrew Bartlett via samba wrote:
> I think you really want to move to Samba as an AD DC.
In that case, how can I setup a Samba AD DC which has its 
authentication came from another non-AD Kerberos service? 
Preferably in a separate server from the Kerberos service.

I also have a LDAP service synchronized with the Kerberos 
service, but I cannot have the old solution where AD user 
passwords are stored separately in LDAP field. In general I 
cannot use solution where AD user passwords are stored 
separately from and need to be synchronized with LDAP / Kerberos 
user passwords.

Thank you!

-- 
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

On Thu, 20 Apr 2017 07:32:16 -0600 (MDT)
S P Arif Sahari Wibowo via samba <samba at lists.samba.org> wrote:
> On 2017-04-20, 03:35, Andrew Bartlett via samba wrote:
> > I think you really want to move to Samba as an AD DC.
> 
> In that case, how can I setup a Samba AD DC which has its 
> authentication came from another non-AD Kerberos service? 
> Preferably in a separate server from the Kerberos service.
I don't think you can.
> 
> I also have a LDAP service synchronized with the Kerberos 
> service, but I cannot have the old solution where AD user 
> passwords are stored separately in LDAP field. In general I 
> cannot use solution where AD user passwords are stored 
> separately from and need to be synchronized with LDAP / Kerberos 
> user passwords.
> 
You normally use AD for the users passwords and get your service to use
AD for authentication, just what do you need to get to work with AD, a
mailserver or squid or something else ?

Rowland