In my old Samba/NT/OpenLDAP domains i was used to setup, on some
specific hosts/VM, a simple authentication scheme, so i simply create
locally (eg 'adduser') some users, and then i setupped only PAM part
of ldap.
Seems to me now, on Samba/AD, to use Kerberos. And seems also TOO easy!
I've simply installed 'libpam-krb5', reply to the debconfig question
wit the AD/Kerberos domain/realm and... voilà, works as expected. Cool!
;-)
But, lacking some docs on samba wiki, i've some question more:
a) i suppose that Kerberos use DNS to resolve servers; in a complex
setup there's some way to have kerberos use the servers from the same
site?
b) i use the same setup in firewalls, that have no knowledge of
internal DNS. There's some way to setup kerberos authentication with
'no DNS'?! EG, putting some info on /etc/hosts?!
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On 05/28/2018 09:23 AM, Marco Gaiarin via samba wrote:> > In my old Samba/NT/OpenLDAP domains i was used to setup, on some > specific hosts/VM, a simple authentication scheme, so i simply create > locally (eg 'adduser') some users, and then i setupped only PAM part > of ldap. > > Seems to me now, on Samba/AD, to use Kerberos. And seems also TOO easy! > > I've simply installed 'libpam-krb5', reply to the debconfig question > wit the AD/Kerberos domain/realm and... voilà, works as expected. Cool! > ;-) > > > But, lacking some docs on samba wiki, i've some question more: > > a) i suppose that Kerberos use DNS to resolve servers; in a complex > setup there's some way to have kerberos use the servers from the same > site? > > b) i use the same setup in firewalls, that have no knowledge of > internal DNS. There's some way to setup kerberos authentication with > 'no DNS'?! EG, putting some info on /etc/hosts?! >Yes, check the documentation of krb5.conf. In summary you will need to disable dns_canonicalize_hostname dns_lookup_kdc , etc if enabled and set you admin and kdc hostnames there, something like: [realms] EXAMPLE.COM = { kdc = kdc.example.com:88 master_kdc = kdc.example.com:88 admin_server = kadmin.example.com:749 default_domain = example.com .... }> > Thanks. >
Mandi! Robert Marcano via samba In chel di` si favelave...> Yes, check the documentation of krb5.conf.Ahem, 'apt-get install krb5-doc' misses. ;-)> In summary you will need to > disable dns_canonicalize_hostname dns_lookup_kdc , etc if enabled and set > you admin and kdc hostnames there, something like:How can i determine kdc and master_kdc values? All DC server are KDC and the FSMO role are master_kdc? -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)