S P Arif Sahari Wibowo
2017-Apr-25 21:04 UTC
[Samba] Samba AD DC authenticated by external Kerberos (~ Re: Samba authentication using non-AD Kerberos?)
On 2017-04-22, 02:12, Andrew Bartlett via samba wrote:> To be clear, this would be an 'MIT Trust'. This isn't > currently supported, but would allow you to authenticate with > the username and password via krb5 from the trusted domain, > but use the ticket to log in to the Windows desktop and the > Samba file server.Actually no. I fork this thread to specifically asking question about setting up Samba AD DC / ADS with external Kerberos server. Sorry the title a bit confusin, I fixed it a little bit. So presumably the client can login as if login to normal AD DC / ADS. Thank you! -- ____ ____ ____ ____ (stephan paul) Arif Sahari Wibowo /___ /___/ /___/ /___ http://www.arifsaha.com/ ____/ / / / ____/
Gaiseric Vandal
2017-Apr-27 13:13 UTC
[Samba] Samba AD DC authenticated by external Kerberos (~ Re: Samba authentication using non-AD Kerberos?)
On 04/25/17 17:04, S P Arif Sahari Wibowo via samba wrote:> On 2017-04-22, 02:12, Andrew Bartlett via samba wrote: >> To be clear, this would be an 'MIT Trust'. This isn't currently >> supported, but would allow you to authenticate with the username and >> password via krb5 from the trusted domain, but use the ticket to log >> in to the Windows desktop and the Samba file server. > > Actually no. I fork this thread to specifically asking question about > setting up Samba AD DC / ADS with external Kerberos server. Sorry the > title a bit confusin, I fixed it a little bit. So presumably the > client can login as if login to normal AD DC / ADS. > > Thank you! >A Samba AD directory server (domain controller) is its own kerberos server. I don't see how you could configure it to use another KDC. Depending on how may computers in your environment, it may be easier to have the non-AD Kerberos clients use to the Samba DC as the KDC.
S P Arif Sahari Wibowo
2017-Apr-27 13:22 UTC
[Samba] Samba AD DC authenticated by external Kerberos (~ Re: Samba authentication using non-AD Kerberos?)
On 2017-04-27, 07:13, Gaiseric Vandal via samba wrote:> A Samba AD directory server (domain controller) is its own > kerberos server. I don't see how you could configure it to use > another KDC.I don't know Kerberos much, so I am wondering can something like this "delegated"?> Depending on how may computers in your environment, it may be > easier to have the non-AD Kerberos clients use to the Samba DC > as the KDC.Definitely not easier in my case. The current OpenLDAP & Kerberos server will definitely stay and most services will still use it. I need to get a way for MS Windows to mount shares from my server using credentials from existing OpenLDAP & Kerberos authentication system. Thank you. -- ____ ____ ____ ____ (stephan paul) Arif Sahari Wibowo /___ /___/ /___/ /___ http://www.arifsaha.com/ ____/ / / / ____/