Rowland Penny
2017-Apr-20 13:46 UTC
[Samba] Samba AD DC autenticated by non-AD Kerberos (~ Re: Samba authentication using non-AD Kerberos?)
On Thu, 20 Apr 2017 07:32:16 -0600 (MDT) S P Arif Sahari Wibowo via samba <samba at lists.samba.org> wrote:> On 2017-04-20, 03:35, Andrew Bartlett via samba wrote: > > I think you really want to move to Samba as an AD DC. > > In that case, how can I setup a Samba AD DC which has its > authentication came from another non-AD Kerberos service? > Preferably in a separate server from the Kerberos service.I don't think you can.> > I also have a LDAP service synchronized with the Kerberos > service, but I cannot have the old solution where AD user > passwords are stored separately in LDAP field. In general I > cannot use solution where AD user passwords are stored > separately from and need to be synchronized with LDAP / Kerberos > user passwords. >You normally use AD for the users passwords and get your service to use AD for authentication, just what do you need to get to work with AD, a mailserver or squid or something else ? Rowland
S P Arif Sahari Wibowo
2017-Apr-20 16:42 UTC
[Samba] Samba AD DC autenticated by non-AD Kerberos (~ Re: Samba authentication using non-AD Kerberos?)
On 2017-04-20, 07:46, Rowland Penny via samba wrote:> I don't think you can.It will be very sad if that's the case, since it means Samba is not adequate tool for this purpose. If we need to manage separate passwords database anyway, no difference than just have the Windows support person setup a Windows box to do the file sharing. I was hoping to convince decission maker to use Samba with real advantage to integrate with main LDAP/Kerberos ID management infrastructure. It will be sad to see that this is something that cannot be done by FOSS community.> just what do you need to get to work with AD,The LDAP/Kerberos is already established - extensively used and secured - so it won't go anywhere. I want to use Samba but it has to be integrated into existing authentication mechanism. -- ____ ____ ____ ____ (stephan paul) Arif Sahari Wibowo /___ /___/ /___/ /___ http://www.arifsaha.com/ ____/ / / / ____/
Andrew Bartlett
2017-Apr-22 08:12 UTC
[Samba] Samba AD DC autenticated by non-AD Kerberos (~ Re: Samba authentication using non-AD Kerberos?)
On Thu, 2017-04-20 at 14:46 +0100, Rowland Penny via samba wrote:> On Thu, 20 Apr 2017 07:32:16 -0600 (MDT) > S P Arif Sahari Wibowo via samba <samba at lists.samba.org> wrote: > > > On 2017-04-20, 03:35, Andrew Bartlett via samba wrote: > > > I think you really want to move to Samba as an AD DC. > > > > In that case, how can I setup a Samba AD DC which has its > > authentication came from another non-AD Kerberos service? > > Preferably in a separate server from the Kerberos service. > > I don't think you can.To be clear, this would be an 'MIT Trust'. This isn't currently supported, but would allow you to authenticate with the username and password via krb5 from the trusted domain, but use the ticket to log in to the Windows desktop and the Samba file server. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Andrew Bartlett
2017-Apr-22 08:25 UTC
[Samba] Samba AD DC autenticated by non-AD Kerberos (~ Re: Samba authentication using non-AD Kerberos?)
On Thu, 2017-04-20 at 10:42 -0600, S P Arif Sahari Wibowo via samba wrote:> On 2017-04-20, 07:46, Rowland Penny via samba wrote: > > I don't think you can. > > It will be very sad if that's the case, since it means Samba is > not adequate tool for this purpose. If we need to manage > separate passwords database anyway, no difference than just have > the Windows support person setup a Windows box to do the file > sharing. > > I was hoping to convince decission maker to use Samba with real > advantage to integrate with main LDAP/Kerberos ID management > infrastructure. It will be sad to see that this is something > that cannot be done by FOSS community.Please avoid the 'moral blackmail' implication. Perhaps it was not your intention, but occasionally we get folks who come here with a sense that somehow Samba or the Free Software world is poorer if their use case isn't addressed. That is, it feels like we are being goaded into providing an answer or fix, and that isn't nice. Please do use Samba where it works well for your use case, were it fits how you like to run your network, whether practically, ethically or financially.> > just what do you need to get to work with AD, > > The LDAP/Kerberos is already established - extensively used and > secured - so it won't go anywhere. I want to use Samba but it > has to be integrated into existing authentication mechanism.This wasn't at all clear in your original message. It does help to have the full context. It isn't nearly as common as pure AD, but you can run Samba as I described, for clients that have a Kerberos ticket. Environments such as you describe should already have established procedures for extracting a keytab for a new service, so follow those for that part, and configure Samba as I instructed, with 'security=user' and 'use kerberos keytab = system keytab'. However, this won't kerberise Windows or MacOS clients that were not already kerberised by some other means. Windows clients are the hardest in this context. I don't think your IO_TIMEOUT message you mentioned is the last word on this. You should first get Samba working with a local passdb (eg set a password for the users with smbpasswd -a) file, then move to Kerberos once you get that working. I hope this helps clarify things. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
S P Arif Sahari Wibowo
2017-Apr-25 21:04 UTC
[Samba] Samba AD DC authenticated by external Kerberos (~ Re: Samba authentication using non-AD Kerberos?)
On 2017-04-22, 02:12, Andrew Bartlett via samba wrote:> To be clear, this would be an 'MIT Trust'. This isn't > currently supported, but would allow you to authenticate with > the username and password via krb5 from the trusted domain, > but use the ticket to log in to the Windows desktop and the > Samba file server.Actually no. I fork this thread to specifically asking question about setting up Samba AD DC / ADS with external Kerberos server. Sorry the title a bit confusin, I fixed it a little bit. So presumably the client can login as if login to normal AD DC / ADS. Thank you! -- ____ ____ ____ ____ (stephan paul) Arif Sahari Wibowo /___ /___/ /___/ /___ http://www.arifsaha.com/ ____/ / / / ____/
Maybe Matching Threads
- Samba authentication using non-AD Kerberos?
- Samba authentication using non-AD Kerberos?
- Samba authentication using non-AD Kerberos?
- Samba AD DC autenticated by non-AD Kerberos (~ Re: Samba authentication using non-AD Kerberos?)
- Samba authentication using non-AD Kerberos?