Dorian Taylor (Lists)
2021-Jan-22 19:15 UTC
[Samba] Minimum footprint for authenticating CIFS shares with Kerberos
Good day, I have a home office network where, because of work, I already have: * an LDAP server * a Kerberos KDC/admin server * a DNS server What I am after is a quasi-replacement for the AFS server I just removed after ten years, i.e., I want to access files over a network, and I want to be able to authenticate to that service using Kerberos. I followed some instructions to set Samba up as an Active Directory PDC, but I didn?t realize, at the outset, that meant spinning up a bunch of its own daemons that are fighting for the same ports a bunch of services are already running on. (For what it?s worth, the server is Ubuntu 20.04, which is curiously missing a systemd service definition for the `samba` daemon.) I suppose my question is: To what extent I can configure Samba to provide just enough material to, for instance, fool a Mac?s native CIFS client into authenticating to a Samba share with Kerberos? Thanks in advance, -- Dorian Taylor Make things. Make sense. https://doriantaylor.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 874 bytes Desc: Message signed with OpenPGP URL: <http://lists.samba.org/pipermail/samba/attachments/20210122/6696634a/signature.sig>
Rowland penny
2021-Jan-22 19:56 UTC
[Samba] Minimum footprint for authenticating CIFS shares with Kerberos
On 22/01/2021 19:15, Dorian Taylor (Lists) via samba wrote:> Good day, > > I have a home office network where, because of work, I already have: > > * an LDAP server > * a Kerberos KDC/admin server > * a DNS serverYou do realise that they are the main components of AD.> > What I am after is a quasi-replacement for the AFS server I just removed after ten years, i.e., I want to access files over a network, and I want to be able to authenticate to that service using Kerberos. > > I followed some instructions to set Samba up as an Active Directory PDCNo such thing, there is an AD DC and an NT4-style PDC, but they are totally different things ?> , but I didn?t realize, at the outset, that meant spinning up a bunch of its own daemons that are fighting for the same ports a bunch of services are already running on.I take it you haven't read any AD documentation ?> > (For what it?s worth, the server is Ubuntu 20.04, which is curiously missing a systemd service definition for the `samba` daemon.)This is because you now use 'samba-ad-dc' to start the Samba AD DC and 'smbd', 'nmbd' and 'winbind' to start the daemons for a Unix domain member.> > I suppose my question is: To what extent I can configure Samba to provide just enough material to, for instance, fool a Mac?s native CIFS client into authenticating to a Samba share with Kerberos?Easy, turn off your ldap server, KDC and DNS server, then start your AD DC with 'systemctl start samba-ad-dc', though you will probably have to unmask it first. Rowland