samba - Apr 2017 - Samba AD DC authenticated by external Kerberos (~ Re: Samba authentication using non-AD Kerberos?)

On Thu, 20 Apr 2017 07:32:16 -0600 (MDT)
S P Arif Sahari Wibowo via samba <samba at lists.samba.org> wrote:
> On 2017-04-20, 03:35, Andrew Bartlett via samba wrote:
> > I think you really want to move to Samba as an AD DC.
> 
> In that case, how can I setup a Samba AD DC which has its 
> authentication came from another non-AD Kerberos service? 
> Preferably in a separate server from the Kerberos service.
I don't think you can.
> 
> I also have a LDAP service synchronized with the Kerberos 
> service, but I cannot have the old solution where AD user 
> passwords are stored separately in LDAP field. In general I 
> cannot use solution where AD user passwords are stored 
> separately from and need to be synchronized with LDAP / Kerberos 
> user passwords.
> 
You normally use AD for the users passwords and get your service to use
AD for authentication, just what do you need to get to work with AD, a
mailserver or squid or something else ?

Rowland

On 2017-04-20, 07:46, Rowland Penny via samba wrote:
> I don't think you can.
It will be very sad if that's the case, since it means Samba is 
not adequate tool for this purpose. If we need to manage 
separate passwords database anyway, no difference than just have 
the Windows support person setup a Windows box to do the file 
sharing.

I was hoping to convince decission maker to use Samba with real 
advantage to integrate with main LDAP/Kerberos ID management 
infrastructure. It will be sad to see that this is something 
that cannot be done by FOSS community.
> just what do you need to get to work with AD,
The LDAP/Kerberos is already established - extensively used and 
secured - so it won't go anywhere. I want to use Samba but it 
has to be integrated into existing authentication mechanism.

-- 
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

On Thu, 2017-04-20 at 14:46 +0100, Rowland Penny via samba
wrote:
> On Thu, 20 Apr 2017 07:32:16 -0600 (MDT)
> S P Arif Sahari Wibowo via samba <samba at lists.samba.org> wrote:
> 
> > On 2017-04-20, 03:35, Andrew Bartlett via samba wrote:
> > > I think you really want to move to Samba as an AD DC.
> > 
> > In that case, how can I setup a Samba AD DC which has its 
> > authentication came from another non-AD Kerberos service? 
> > Preferably in a separate server from the Kerberos service.
> 
> I don't think you can.
To be clear, this would be an 'MIT Trust'.  This isn't currently
supported, but would allow you to authenticate with the username and
password via krb5 from the trusted domain, but use the ticket to log in
to the Windows desktop and the Samba file server. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Thu, 2017-04-20 at 10:42 -0600, S P Arif Sahari Wibowo via samba
wrote:
> On 2017-04-20, 07:46, Rowland Penny via samba wrote:
> > I don't think you can.
> 
> It will be very sad if that's the case, since it means Samba is 
> not adequate tool for this purpose. If we need to manage 
> separate passwords database anyway, no difference than just have 
> the Windows support person setup a Windows box to do the file 
> sharing.
> 
> I was hoping to convince decission maker to use Samba with real 
> advantage to integrate with main LDAP/Kerberos ID management 
> infrastructure. It will be sad to see that this is something 
> that cannot be done by FOSS community.
Please avoid the 'moral blackmail' implication.  Perhaps it was not
your intention, but occasionally we get folks who come here with a
sense that somehow Samba or the Free Software world is poorer if their
use case isn't addressed.  That is, it feels like we are being goaded
into providing an answer or fix, and that isn't nice.

Please do use Samba where it works well for your use case, were it fits
how you like to run your network, whether practically, ethically or
financially. 
> > just what do you need to get to work with AD,
> 
> The LDAP/Kerberos is already established - extensively used and 
> secured - so it won't go anywhere. I want to use Samba but it 
> has to be integrated into existing authentication mechanism.
This wasn't at all clear in your original message.  It does help to
have the full context.  It isn't nearly as common as pure AD, but you
can run Samba as I described, for clients that have a Kerberos ticket.

Environments such as you describe should already have established
procedures for extracting a keytab for a new service, so follow those
for that part, and configure Samba as I instructed, with
'security=user' and 'use kerberos keytab = system keytab'.

However, this won't kerberise Windows or MacOS clients that were not
already kerberised by some other means.  Windows clients are the
hardest in this context. 

I don't think your IO_TIMEOUT message you mentioned is the last word on
this.  You should first get Samba working with a local passdb (eg set a
password for the users with smbpasswd -a) file, then move to Kerberos
once you get that working. 

I hope this helps clarify things. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 2017-04-22, 02:12, Andrew Bartlett via samba wrote:
> To be clear, this would be an 'MIT Trust'.  This isn't 
> currently supported, but would allow you to authenticate with 
> the username and password via krb5 from the trusted domain, 
> but use the ticket to log in to the Windows desktop and the 
> Samba file server.
Actually no. I fork this thread to specifically asking question 
about setting up Samba AD DC / ADS with external Kerberos 
server. Sorry the title a bit confusin, I fixed it a little bit. 
So presumably the client can login as if login to normal AD DC / 
ADS.

Thank you!

-- 
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/