S P Arif Sahari Wibowo
2017-Apr-13 12:35 UTC
[Samba] Samba authentication using non-AD Kerberos?
On 2017-04-13, 01:58, Andrew Bartlett via samba wrote:> On Wed, 2017-04-12 at 19:17 -0600, S P Arif Sahari Wibowo via > samba wrote: >> Do you know any example Samba configuration that authenticate >> to plain - non-AD, e.g. MIT KDC - Kerberos server? > > This a normal and fully supported configuration. It maps to > normal unix users.Thanks! is it mean that the OS (Linux) have to setup for login using Kerberos as well? I was looking into samba wiki pages and cannot find documentation for this. Generally most the documentation pages either discussing samba as AD member or standalone.> From memory: > > security=user > > use kerberos keytab = system keytabThanks! Obviously there is no "net ads join" command, so anything to be done instead of that? Thank you. -- ____ ____ ____ ____ (stephan paul) Arif Sahari Wibowo /___ /___/ /___/ /___ http://www.arifsaha.com/ ____/ / / / ____/
S P Arif Sahari Wibowo
2017-Apr-17 01:06 UTC
[Samba] Samba authentication using non-AD Kerberos?
On 2017-04-13, 01:58, Andrew Bartlett via samba wrote:> On Wed, 2017-04-12 at 19:17 -0600, S P Arif Sahari Wibowo via samba wrote: > > Do you know any example Samba configuration that > > authenticate to plain - non-AD, e.g. MIT KDC - Kerberos > > server? > > This a normal and fully supported configuration. It maps to > normal unix users.Thanks! is it mean that the OS (Linux) have to setup for login using Kerberos as well? I was looking into samba wiki pages and cannot find documentation for this. Generally most the documentation pages either discussing samba as AD member or standalone.> From memory: > > security=user > > use kerberos keytab = system keytabThanks! Obviously there is no "net ads join" command, so anything to be done instead of that? Thank you. -- ____ ____ ____ ____ (stephan paul) Arif Sahari Wibowo /___ /___/ /___/ /___ http://www.arifsaha.com/ ____/ / / / ____/
On Sun, 2017-04-16 at 19:06 -0600, S P Arif Sahari Wibowo via samba wrote:> On 2017-04-13, 01:58, Andrew Bartlett via samba wrote: > > On Wed, 2017-04-12 at 19:17 -0600, S P Arif Sahari Wibowo via samba > > wrote: > > > Do you know any example Samba configuration that > > > authenticate to plain - non-AD, e.g. MIT KDC - Kerberos > > > server? > > > > This a normal and fully supported configuration. It maps to > > normal unix users. > > Thanks! is it mean that the OS (Linux) have to setup for login > using Kerberos as well?No, but your clients will need to get a ticket somehow. That is presumably already happening otherwise you wouldn't be asking for this.> I was looking into samba wiki pages and cannot find > documentation for this. Generally most the documentation pages > either discussing samba as AD member or standalone. > > > From memory: > > > > security=user > > > > use kerberos keytab = system keytab > > Thanks! Obviously there is no "net ads join" command, so > anything to be done instead of that?You need a keytab for cifs/hostname just as you would for IMAP or some other kerberised service. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
S P Arif Sahari Wibowo
2017-Apr-20 13:25 UTC
[Samba] Samba authentication using non-AD Kerberos?
On 2017-04-16, 19:06, S P Arif Sahari Wibowo via samba wrote:> I was looking into samba wiki pages and cannot find > documentation for this. Generally most the documentation pages > either discussing samba as AD member or standalone.So still looking at this. So this is the state currently: kerberos setup (krb5.conf and keytab) is working in the server, I can do kinit properly. But setting of Samba still not working. Here is what I have in /etc/smb.conf: [global] workgroup = MYREALM server string = UATest Samba Server Version %v netbios name = myserver log file = /var/log/samba/log.%m max log size = 50 security = ads realm = MYREALM.CA password server = mykerberos.myrealm.ca kerberos method = system keytab log level = 3 passdb:5 auth:10 load printers = no cups options = raw printing = bsd [tmp] comment = Temporary Stuff path = /tmp public = yes writable = yes printable = no When I try to connect locally: # kinit mykerbuser Password for mykerbuser at MYREALM.CA: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: mykerbuser at MYREALM.CA Valid starting Expires Service principal 20/04/17 07:24:13 21/04/17 08:24:10 krbtgt/MYREALM.CA at MYREALM.CA # smbclient -k -U mykerbuser -L localhost session setup failed: NT_STATUS_IO_TIMEOUT If I do tcpdump on the Kerberos server, I see this output repeated: 07:18:55.708609 mykerberos.myrealm.ca > 172.1.1.111: icmp: mykerberos.myrealm.ca udp port netbios-ns unreachable 07:18:56.709751 172.1.1.111.34265 > mykerberos.myrealm.ca.netbios-ns: udp 50 (DF) -- ____ ____ ____ ____ (stephan paul) Arif Sahari Wibowo /___ /___/ /___/ /___ http://www.arifsaha.com/ ____/ / / / ____/