samba - Apr 2017 - Samba authentication using non-AD Kerberos?

On Sun, 2017-04-16 at 19:06 -0600, S P Arif Sahari Wibowo via samba
wrote:
> On 2017-04-13, 01:58, Andrew Bartlett via samba wrote:
> > On Wed, 2017-04-12 at 19:17 -0600, S P Arif Sahari Wibowo via samba
> > wrote:
> > > Do you know any example Samba configuration that 
> > > authenticate to plain - non-AD, e.g. MIT KDC - Kerberos 
> > > server?
> > 
> > This a normal and fully supported configuration.  It maps to 
> > normal unix users.
> 
> Thanks! is it mean that the OS (Linux) have to setup for login 
> using Kerberos as well?
No, but your clients will need to get a ticket somehow.  That is
presumably already happening otherwise you wouldn't be asking for this.
> I was looking into samba wiki pages and cannot find 
> documentation for this. Generally most the documentation pages 
> either discussing samba as AD member or standalone.
> 
> > From memory:
> > 
> > security=user
> > 
> > use kerberos keytab = system keytab
> 
> Thanks! Obviously there is no "net ads join" command, so 
> anything to be done instead of that?
You need a keytab for cifs/hostname just as you would for IMAP or some
other kerberised service. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 2017-04-17, 15:23, Andrew Bartlett via samba wrote:
> No, but your clients will need to get a ticket somehow.  That 
> is presumably already happening otherwise you wouldn't be 
> asking for this.
No, the situation is that currently I only have Kerberos server, 
but not ADS. I like to setup Samba server so MS Windows and 
macOS clients (in various IP address) can login to it, but I 
like to use existing Kerberos server as the authentication 
source.

Will this be possible?

Can this be done without the MS Windows and macOS client have 
direct access to the Kerberos server?
> You need a keytab for cifs/hostname just as you would for IMAP 
> or some other kerberised service.
Do you know how this works in MS Windows / macOS?

-- 
    ____  ____  ____  ____ (stephan paul) Arif Sahari Wibowo
   /___  /___/ /___/ /___      http://www.arifsaha.com/
  ____/ /     /   / ____/

Am 18.04.2017 um 20:36 schrieb S P Arif Sahari Wibowo via
samba:
> On 2017-04-17, 15:23, Andrew Bartlett via samba wrote:
>> No, but your clients will need to get a ticket somehow.  That is
>> presumably already happening otherwise you wouldn't be asking for
this.
> 
> No, the situation is that currently I only have Kerberos server, but not
> ADS. I like to setup Samba server so MS Windows and macOS clients (in
> various IP address) can login to it, but I like to use existing Kerberos
> server as the authentication source.
> 
> Will this be possible?
> 
> Can this be done without the MS Windows and macOS client have direct
> access to the Kerberos server?
> 
>> You need a keytab for cifs/hostname just as you would for IMAP or some
>> other kerberised service.
> 
> Do you know how this works in MS Windows / macOS?
> 

There is a tutorial how to make a Kerberos server to be a samba server too.

It is available at:
http://www.danbishop.org/2015/01/30/ubuntu-14-04-ultimate-server-guide/8/