Peter Milesson
2024-Nov-30 18:03 UTC
[Samba] Linux desktop setup with authentication against Samba AD DC
On 30.11.2024 17:26, Rowland Penny via samba wrote:> On Sat, 30 Nov 2024 17:14:24 +0100 > Peter Milesson via samba <samba at lists.samba.org> wrote: > >> Hi Rowland, >> >> I got it working under Archlinux also. Most of the work was looking >> up how to configure PAM with the pam_winbind and pam_krb5 modules. >> Not very well documented. > If by 'pam_krb5' you are referring to libpam-krb5, you do not require > it, winbind will do it for you. > >> There is a Wiki page about setting up AD integration, but it would >> imply moving the Kerberos cache file, which would break everything >> dependent on Kerberos tickets. > Which wiki page is this ? > > Rowland > >Hi Rowland, I haven't a deep knowledge of what packages are sufficient, and which ones are superfluous. I will test the setup without libpam-krb5. About the wiki page, it's Archlinux' AD integration page on https://wiki.archlinux.org/title/Active_Directory_integration. I really didn't follow it, and used what I set up on Debian instead. The Archlinux pam_winbind.conf example will probably break most kerberized applications, as the place of the Kerberos ticket cache is non standard. It would be necessary to configure all applications using cached Kerberos tickets in that case. Even Archlinux puts the Kerberos ticket cache in /tmp default. Defaults are there for some reason... Best regards, Peter
Rowland Penny
2024-Nov-30 19:23 UTC
[Samba] Linux desktop setup with authentication against Samba AD DC
On Sat, 30 Nov 2024 19:03:04 +0100 Peter Milesson via samba <samba at lists.samba.org> wrote:> Hi Rowland, > > I haven't a deep knowledge of what packages are sufficient, and which > ones are superfluous. I will test the setup without libpam-krb5. > > About the wiki page, it's Archlinux' AD integration page on > https://wiki.archlinux.org/title/Active_Directory_integration. I > really didn't follow it, and used what I set up on Debian instead. > The Archlinux pam_winbind.conf example will probably break most > kerberized applications, as the place of the Kerberos ticket cache is > non standard. It would be necessary to configure all applications > using cached Kerberos tickets in that case. Even Archlinux puts the > Kerberos ticket cache in /tmp default. Defaults are there for some > reason...Based on what I have been using on Debian for quite some time, I cannot recommend following the Arch Linux wiki page, there are just too many apparent problems. I was going to attempt to use Rocky Linux 9 as client, but pam_mount appears to be only available from EPEL and I cannot easily find hxtools. It appears that redhat is moving away from the desktop and concentrating on servers. Rowland