Rowland penny
2021-Jan-29 13:54 UTC
[Samba] Deploying Samba AD into Windows / Linux / OpenLDAP / Kerberos network
On 29/01/2021 13:15, Mike via samba wrote:> * Kerberos: This is probably the big one. One would expect a user to be > able to log into either a Linux or Windows box. Is there a neat way to > use the same accounts? Can Samba use the existing Kerberos > infrastructure and indeed should it?Samba could use an existing KDC, but it wouldn't be AD> I've read that MIT kerberos > support in Samba is experimental, does this mean "it works but we > wouldn't want to stake our reputations on it" or "it doesn't work"?It does work, but not as fully as the built in Heimdal kerberos, there are several big problems, hence 'experimental'.> Would a better approach be to allow Samba to manage its own Kerberos and > create the users in MIT kerberos and use cross-realm authentication to > make the users available to Linux and AD (does this work)?I would just let Samba be the KDC, there really is no point to two KDC's in a home network.> > I guess this boils down to two questions: > > 1) Should one just install Samba AD and let it handle its own stuff or > should one aim to backend it all with my existing BIND/LDAP/Kerberos?Oh yes, just install Samba, after that you don't need the separate servers.> > 2) How should one set it up so that one can create a user that can > seamlessly log into both Linux and Windows hosts? >Windows will just use the users & groups in AD (after you join to the domain) and you just install Samba on the Linux hosts and configure it as a Unix domain member. Any questions, just ask ? Rowland
Robert Marcano
2021-Jan-29 14:04 UTC
[Samba] Deploying Samba AD into Windows / Linux / OpenLDAP / Kerberos network
On 1/29/21 9:54 AM, Rowland penny via samba wrote:> On 29/01/2021 13:15, Mike via samba wrote: >> * Kerberos: This is probably the big one.? One would expect a user to be >> able to log into either a Linux or Windows box.? Is there a neat way to >> use the same accounts?? Can Samba use the existing Kerberos >> infrastructure and indeed should it? > > > Samba could use an existing KDC, but it wouldn't be AD > > >> ?? I've read that MIT kerberos >> support in Samba is experimental, does this mean "it works but we >> wouldn't want to stake our reputations on it" or "it doesn't work"? > > > It does work, but not as fully as the built in Heimdal kerberos, there > are several big problems, hence 'experimental'.I am under the impression that the MIT backend for Samba AD support (the embeeding on a KDC inside Samba) is the one that is experimental, not basic non AD DC server support. I use RHEL/CentOS/Fedora MIT based Samba as non DC servers with Kerberos without problems.> > >> Would a better approach be to allow Samba to manage its own Kerberos and >> create the users in MIT kerberos and use cross-realm authentication to >> make the users available to Linux and AD (does this work)? > > > I would just let Samba be the KDC, there really is no point to two KDC's > in a home network. > > >> >> I guess this boils down to two questions: >> >> 1) Should one just install Samba AD and let it handle its own stuff or >> should one aim to backend it all with my existing BIND/LDAP/Kerberos? > > > Oh yes, just install Samba, after that you don't need the separate servers. > > >> >> 2) How should one set it up so that one can create a user that can >> seamlessly log into both Linux and Windows hosts? >> > Windows will just use the users & groups in AD (after you join to the > domain) and you just install Samba on the Linux hosts and configure it > as a Unix domain member. > > Any questions, just ask ? > > Rowland > > >