Dorian Taylor (Lists)
2021-Jan-22 20:23 UTC
[Samba] Minimum footprint for authenticating CIFS shares with Kerberos
> On Jan 22, 2021, at 11:56 AM, Rowland penny via samba <samba at lists.samba.org> wrote:> You do realise that they are the main components of AD.I do! And they are working just fine and I would prefer not to get rid of them, because they are already configured and I am using them for things.> No such thing, there is an AD DC and an NT4-style PDC, but they are totally different things ?Thank you for apprising me of the correct terminology.> I take it you haven't read any AD documentation ?I?m awash in documentation. For the record it isn?t obvious from the outside that Samba has to manage all of those services internally and not avail itself of existing resources.> This is because you now use 'samba-ad-dc' to start the Samba AD DC and 'smbd', 'nmbd' and 'winbind' to start the daemons for a Unix domain member.Yeah, thanks, I found that shortly after sending.> Easy, turn off your ldap server, KDC and DNS server, then start your AD DC with 'systemctl start samba-ad-dc', though you will probably have to unmask it first.Perhaps the question I should have asked is ?how closely-coupled is using Kerberos to authenticate to a Samba share to the whole AD ball of wax??, but it looks like the answer is ?It?s all or nothing, baby.? Regards, -- Dorian Taylor Make things. Make sense. https://doriantaylor.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 874 bytes Desc: Message signed with OpenPGP URL: <http://lists.samba.org/pipermail/samba/attachments/20210122/a4042849/signature.sig>
Jeremy Allison
2021-Jan-22 20:40 UTC
[Samba] Minimum footprint for authenticating CIFS shares with Kerberos
On Fri, Jan 22, 2021 at 12:23:07PM -0800, Dorian Taylor (Lists) via samba wrote:> >Perhaps the question I should have asked is ?how closely-coupled is using Kerberos to authenticate to a Samba share to the whole AD ball of wax??, but it looks like the answer is ?It?s all or nothing, baby.?I think what you want is a member server, not an AD-DC.
Rowland penny
2021-Jan-22 20:43 UTC
[Samba] Minimum footprint for authenticating CIFS shares with Kerberos
On 22/01/2021 20:23, Dorian Taylor (Lists) wrote:> Perhaps the question I should have asked is ?how closely-coupled is using Kerberos to authenticate to a Samba share to the whole AD ball of wax??, but it looks like the answer is ?It?s all or nothing, baby.? >You could consider a Unix domain member instead. Rowland