Matthias Kühne | Ellerhold AG
2022-Feb-17 10:12 UTC
[Samba] Confusion about libpam-krb5 and libpam-winbind
Hello samba-community, on our Debian Domain members (Samba 4.14) we cant change the password of local (non-AD) users, because it asks for the "Current kerberos password". Ive tracked it down to the libpam-krb5. I can up the "minimum_uid" from 1000 to the value of my smb.conf (10000) and the problem is gone. Is this the correct way to fix this problem? That leads me to a second question: What we need on these servers are SSH and SMB access via users from the domain. Both are using username + password (e. g. MY-DOMAIN\matthias.kuehne and a PW). As far as I understand it this is handled by libpam-winbind, correct? libpam-krb5 would enable me to use kerberos tickets to access the file shares (and possibly ssh?). If I dont need that - can I uninstall it or does any background system of a samba domain member use this pam-module? Same question for a samba ad-dc! Thanks for your time! Matthias K?hne. -- Matthias K?hne Senior Webentwickler Datenschutzbeauftragter Ellerhold Aktiengesellschaft Friedrich-List-Str. 4 01445 Radebeul Telefon: +49 (0) 351 83933-61 Telefax: +49 (0) 351 83933-99 Web www.ellerhold.de Twitter www.twitter.com/Ellerhold_AG Youtube www.youtube.com/user/ellerholdgruppe Amtsgericht Dresden / HRB 23769 Vorstand: Stephan Ellerhold, Maximilian Ellerhold Vorsitzender des Aufsichtsrates: Frank Ellerhold ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
Rowland Penny
2022-Feb-17 10:35 UTC
[Samba] Confusion about libpam-krb5 and libpam-winbind
On Thu, 2022-02-17 at 11:12 +0100, Matthias K?hne | Ellerhold AG via samba wrote:> Hello samba-community, > > on our Debian Domain members (Samba 4.14) we cant change the password > of > local (non-AD) users, because it asks for the "Current kerberos > password".You shouldn't really have many local users, just enough to fix things if something goes wrong and you cannot contact AD.> > Ive tracked it down to the libpam-krb5. I can up the "minimum_uid" > from > 1000 to the value of my smb.conf (10000) and the problem is gone. Is > this the correct way to fix this problem?Yes, Setting every occurrence of '1000' in /etc/pam.d/common-* to the DOMAIN lower range is the correct way to fix this.> > > That leads me to a second question: What we need on these servers > are > SSH and SMB access via users from the domain. Both are using username > + > password (e. g. MY-DOMAIN\matthias.kuehne and a PW). As far as I > understand it this is handled by libpam-winbind, correct?You can turn off the 'MY-DOMAIN\' by setting 'winbind use default domain = yes', provided you are using the 'ad' or 'rid' winbind idmap backend with one domain. This is handled by libpam-winbind & libnss-winbind> > libpam-krb5 would enable me to use kerberos tickets to access the > file > shares (and possibly ssh?).Yes, and definitely ssh> If I dont need that - can I uninstall it or > does any background system of a samba domain member use this pam- > module?No and yes> Same question for a samba ad-dc!You only need to set up PAM and the winbind links on a DC if you require your users to log into the DC directly (something that Samba does not recommend) Rowland