samba - Dec 2021 - Samba domain members and MIT Kerberos configuration...

I'm working on joining some RH-based box to an AD domain, starting from this
list, the wiki and my debian knowledge. ;-)

I'm speaking of MEMBERS, not DC!


I've found some info googling around, but make reference to 'realmd'
and
'oddjob' for configuration, that seems to me more 'wrappers' to
help
configuration, so probably can be subsitute with more plain 'net ads
join' and 'pam_mkhomedir'. Correct?


Also, i've found no specific kerberos configuration, apart the hint to add
this:

[plugins]

????localauth = {

????????module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so

????????enable_only = winbind

????}

(and installing samba-winbind-krb5-locator rpm package).


In the samba wiki i've not found some hint about mit kerberos configuration.


Someone have some clue? Thanks.

-- 
  ...e andate chissa` dove per non pagar le tasse
  col ghigno e l'ignoranza dei primi della classe.	(F. Guccini)

On Mon, 2021-12-27 at 13:54 +0100, Marco Gaiarin via samba
wrote:
> I'm working on joining some RH-based box to an AD domain, starting
> from this
> list, the wiki and my debian knowledge. ;-)
What rh-based box ?
RHEL ?
Centos ?
Fedora ?
What version ?
> 
> I'm speaking of MEMBERS, not DC!
No need to shout :-D
> 
> 
> I've found some info googling around, but make reference to
'realmd'
> and
> 'oddjob' for configuration, that seems to me more
'wrappers' to help
> configuration, so probably can be subsitute with more plain 'net ads
> join' and 'pam_mkhomedir'. Correct?
Sort of, you should (in my opinion) use 'net ads join' to join the
computer to the domain, but you will need to use 'oddjob' on red-hat
distros. You will also need to correctly set up the smb.conf file.
> 
> 
> Also, i've found no specific kerberos configuration, apart the hint
> to add
> this:
> 
> [plugins]
> 
>     localauth = {
> 
>         module > winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
> 
>         enable_only = winbind
> 
>     }
> 
You probably do not need that.
> (and installing samba-winbind-krb5-locator rpm package).
> 
> 
> In the samba wiki i've not found some hint about mit kerberos
> configuration.
This is probably because the setup isn't much different on Unix domain
members.

Rowland

On 12/27/21 06:54, Marco Gaiarin via samba wrote:
> 
> I'm working on joining some RH-based box to an AD domain, starting from
this
> list, the wiki and my debian knowledge. ;-)
> 
> I'm speaking of MEMBERS, not DC!
> 
> 
> I've found some info googling around, but make reference to
'realmd' and
> 'oddjob' for configuration, that seems to me more
'wrappers' to help
> configuration, so probably can be subsitute with more plain 'net ads
> join' and 'pam_mkhomedir'. Correct?
> 
If you have selinux turned on, pam-mkhomedir won't work. This is why 
RHEL created the oddjob thing.  You however don't need realmd -- that's 
aimed at simplifying configuration.  adcli works fine.  You especially 
don't need realmd if you're going to use Samba.

> 
> Also, i've found no specific kerberos configuration, apart the hint to
add
> this:
> 
> [plugins]
> 
>  ????localauth = {
> 
>  ????????module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
> 
>  ????????enable_only = winbind
> 
>  ????}
> 
> (and installing samba-winbind-krb5-locator rpm package).
> 
> 
> In the samba wiki i've not found some hint about mit kerberos
configuration.
> 
> 
> Someone have some clue? Thanks.
>