Hi Rowland,
Thanks for your explanation.
We have set up Samba to authenticate users against an external MIT
Kerberos server and usernames match those in Unix password files.
The setup was almost exactly like the Ubuntu help page:
https://help.ubuntu.com/community/Samba/Kerberos#MIT_Kerberos
There are others who have also set up Samba this way:
https://serverfault.com/questions/659017/possible-to-authenticate-samba-via-kerberos-but-without-domain-join
and others who have contacted the mailing list for help in setting up
Samba this way:
https://lists.samba.org/archive/samba/2017-April/207728.html
After a hint from the Debian bug report (thanks Dan!) I was able to
get Samba working with the external MIT KDC using SSSD. (A working
config is below for the interested.)
However, it would be great if this would function using all Samba
software as previously.
Is there a way to set up winbind/idmap to restore the behavior that
"smbd directly contacts domain controllers"? (Quoted phrase from the
4.8
release notes.)
Thanks for the great software!
Chad.
smb.conf:
# Global parameters
# Note that some of these will vary depending on your setup!
# E.g. do you use vfs_fruit?
[global]
dns proxy = No
hostname lookups = Yes
kerberos method = secrets and keytab
logging = syslog at 1 /var/log/samba/log.%m
map to guest = Bad User
max log size = 100000
panic action = /usr/share/samba/panic-action %d
realm = YOUR.KERB.REALM
security = USER
server signing = required
server string = %h server
workgroup = MYWORKGR
fruit:nfs_aces = no
idmap config * : backend = tdb
--------------------------------------------
sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
debug_level = 7
domains = YOUR.KERB.REALM
[nss]
filter_groups = root
filter_users = root
debug_level = 7
[pam]
debug_level = 7
[domain/YOUR.KERB.REALM]
debug_level = 7
enumerate = false
# use Unix password files for username validation
id_provider = proxy
proxy_lib_name = files
On Tue, 26 Jun 2018 16:22:36 -0500 Chad William Seys <cwseys at physics.wisc.edu> wrote:> Hi Rowland, > Thanks for your explanation. > We have set up Samba to authenticate users against an external MIT > Kerberos server and usernames match those in Unix password files. > > The setup was almost exactly like the Ubuntu help page: > https://help.ubuntu.com/community/Samba/Kerberos#MIT_Kerberos > There are others who have also set up Samba this way: > https://serverfault.com/questions/659017/possible-to-authenticate-samba-via-kerberos-but-without-domain-join > and others who have contacted the mailing list for help in setting > up Samba this way: > https://lists.samba.org/archive/samba/2017-April/207728.html > > After a hint from the Debian bug report (thanks Dan!) I was able > to get Samba working with the external MIT KDC using SSSD. (A > working config is below for the interested.)Samba does not support sssd, it isn't a Samba product> However, it would be great if this would function using all Samba > software as previously.It is supported, you just have to use winbind and join the domain.> Is there a way to set up winbind/idmap to restore the behavior > that "smbd directly contacts domain controllers"? (Quoted phrase from > the 4.8 release notes.)Don't think so, the option was explicitly removed from smbd.> > Thanks for the great software! > Chad. > > smb.conf: > # Global parameters > # Note that some of these will vary depending on your setup! > # E.g. do you use vfs_fruit? > [global] > dns proxy = No > hostname lookups = Yes > kerberos method = secrets and keytab > logging = syslog at 1 /var/log/samba/log.%m > map to guest = Bad User > max log size = 100000 > panic action = /usr/share/samba/panic-action %d > realm = YOUR.KERB.REALM > security = USER > server signing = required > server string = %h server > workgroup = MYWORKGR > fruit:nfs_aces = no > idmap config * : backend = tdbNice STANDALONE SERVER smb.conf. Rowland