S P Arif Sahari Wibowo
2017-Apr-25 21:23 UTC
[Samba] Samba authentication using non-AD Kerberos?
On 2017-04-20, 03:35, Andrew Bartlett via samba wrote:> Not windows clients without much pain. In theory Windows can > join a non-AD KDC, but it is incredibly rarely done.Would you mind to give clearer picture how much pain we are talking about here? Any link to somebody who did it? I need to compare it to the pain of another alternatives I have in the table, like let clients mount files using sshfs. On 2017-04-22, 02:27, Andrew Bartlett via samba wrote:> As I mentioned first up, please set > security=user...>> password server = mykerberos.myrealm.ca > > Don't set this. Samba won't be contacting the KDC, in > Kerberos that is the client's job.Turn out when I manage to get it working, neither option matter, I can set it up either way and still works. This is the configuration that works: [global] workgroup = MYREALM.CA server string = MyTest Samba Server Version %v netbios name = myserver dns proxy = no log file = /var/log/samba/log.%m max log size = 50 realm = MYREALM.CA kerberos method = dedicated keytab dedicated keytab file = /etc/krb5.keytab log level = 3 passdb:5 auth:10 obey pam restrictions = no load printers = no cups options = raw printing = bsd [tmp] comment = Temporary Stuff path = /tmp public = yes writable = yes printable = no -- ____ ____ ____ ____ (stephan paul) Arif Sahari Wibowo /___ /___/ /___/ /___ http://www.arifsaha.com/ ____/ / / / ____/
On Tue, 2017-04-25 at 15:23 -0600, S P Arif Sahari Wibowo via samba wrote:> On 2017-04-20, 03:35, Andrew Bartlett via samba wrote: > > Not windows clients without much pain. In theory Windows can > > join a non-AD KDC, but it is incredibly rarely done. > > Would you mind to give clearer picture how much pain we are > talking about here? Any link to somebody who did it? I need to > compare it to the pain of another alternatives I have in the > table, like let clients mount files using sshfs.This looks like the instructions: https://social.technet.microsoft.com/wiki/contents/articles/2751.kerber os-interoperability-step-by-step-guide-for-windows-server- 2003.aspx#Using_an_MIT_KDC_with_a_Stand- alone_Windows_Server_TwentyOhThree_Client In terms of pain, let me put it this way: You are the first person I can remember asking about this on the Samba lists. Also, you still have to create all the user accounts on each Windows client, you just get to share the passwords. All in all, you start to see why we built Samba's AD DC. You might not be able to use it, but we didn't think the alternative was practical either. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
S P Arif Sahari Wibowo
2017-Apr-26 13:18 UTC
[Samba] Samba authentication using non-AD Kerberos?
On 2017-04-20, 03:35, Andrew Bartlett via samba wrote:> Not windows clients without much pain. In theory Windows > can join a non-AD KDC, but it is incredibly rarely done.Would you mind to give clearer picture how much pain we are talking about here? Any link to somebody who did it? I need to compare it to the pain of another alternatives I have on the table, like let clients mount shares using sshfs. -- ____ ____ ____ ____ (stephan paul) Arif Sahari Wibowo /___ /___/ /___/ /___ http://www.arifsaha.com/ ____/ / / / ____/
S P Arif Sahari Wibowo
2017-Apr-27 13:17 UTC
[Samba] Samba authentication using non-AD Kerberos?
On 2017-04-25, 15:40, Andrew Bartlett via samba wrote:> This looks like the instructions: > https://social.technet.microsoft.com/wiki/contents/articles/2751.kerberos-interoperability-step-by-step-guide-for-windows-server-2003.aspx#Using_an_MIT_KDC_with_a_Stand-alone_Windows_Server_TwentyOhThree_ClientThanks Andrew! This is quiet useful info.> Also, you still have to create all the user accounts on each > Windows client, you just get to share the passwords.Noted.> All in all, you start to see why we built Samba's AD DC. You > might not be able to use it, but we didn't think the > alternative was practical either.I brought up the question about using that in a forked thread, it seems like Rowland Penny thing it will be impossible either. My requirement is simple, we have existing OpenLDAP and Kerberos authentication system, and I want MS Windows to be able to mount shares from my server using credentials from that authentication system. In the old days (Samba 3), it can use LDAP for login but doing that by storing password in LDAP field using unsecure encryption, and I cannot do that now. I thought now with Samba 4 it will be possible to do with Kerberos. Thank you. -- ____ ____ ____ ____ (stephan paul) Arif Sahari Wibowo /___ /___/ /___/ /___ http://www.arifsaha.com/ ____/ / / / ____/