On Fri, 2021-10-29 at 12:59 +0200, Achim Gottinger via samba wrote:> > > Indeed, which raises the quetion can kerberos be used with local > > > account? > > This all depends what you mean by 'local account' if you mean an > > account that is in /etc/passwd, then, no it will not work, because > > the > > user would be unknown to AD and hence, kerberos. > > > > Rowland > > > > > > > Hello Rowland, > > I was talking about an local account on the windows client side. > Authentication against the samba server is using NTLMSSP in this > case. I thought the file explorer may use kerberos if an valid ticket > exists, which is not the case. Was just a wild guess. Kerberos only > works if an domain account is used to log in on the windows client. > > Achim > > https://en.wikipedia.org/wiki/Security_Support_Provider_InterfaceA 'local' user is a local user what ever the OS and as such isn't a domain user, so cannot use kerberos. Rowland
Am 29.10.2021 um 13:11 schrieb Rowland Penny via samba:> On Fri, 2021-10-29 at 12:59 +0200, Achim Gottinger via samba wrote: >>>> Indeed, which raises the quetion can kerberos be used with local >>>> account? >>> This all depends what you mean by 'local account' if you mean an >>> account that is in /etc/passwd, then, no it will not work, because >>> the >>> user would be unknown to AD and hence, kerberos. >>> >>> Rowland >>> >>> >>> >> Hello Rowland, >> >> I was talking about an local account on the windows client side. >> Authentication against the samba server is using NTLMSSP in this >> case. I thought the file explorer may use kerberos if an valid ticket >> exists, which is not the case. Was just a wild guess. Kerberos only >> works if an domain account is used to log in on the windows client. >> >> Achim >> >> https://en.wikipedia.org/wiki/Security_Support_Provider_Interface > A 'local' user is a local user what ever the OS and as such isn't a > domain user, so cannot use kerberos. > > RowlandWell a local user can manual acquire an ticket from kerberos (kinit [spn]) and use that so for authentification. In fact that is what i use as the "local" root user on linux if i use samba-tools. kinit administrator@[DOMAIN REALM] samba-tools -k [whatever] Can it be we talk past each other here? Achim