Am 29.10.2021 um 13:11 schrieb Rowland Penny via samba:> On Fri, 2021-10-29 at 12:59 +0200, Achim Gottinger via samba wrote: >>>> Indeed, which raises the quetion can kerberos be used with local >>>> account? >>> This all depends what you mean by 'local account' if you mean an >>> account that is in /etc/passwd, then, no it will not work, because >>> the >>> user would be unknown to AD and hence, kerberos. >>> >>> Rowland >>> >>> >>> >> Hello Rowland, >> >> I was talking about an local account on the windows client side. >> Authentication against the samba server is using NTLMSSP in this >> case. I thought the file explorer may use kerberos if an valid ticket >> exists, which is not the case. Was just a wild guess. Kerberos only >> works if an domain account is used to log in on the windows client. >> >> Achim >> >> https://en.wikipedia.org/wiki/Security_Support_Provider_Interface > A 'local' user is a local user what ever the OS and as such isn't a > domain user, so cannot use kerberos. > > RowlandWell a local user can manual acquire an ticket from kerberos (kinit [spn]) and use that so for authentification. In fact that is what i use as the "local" root user on linux if i use samba-tools. kinit administrator@[DOMAIN REALM] samba-tools -k [whatever] Can it be we talk past each other here? Achim
On Fri, 2021-10-29 at 14:20 +0200, Achim Gottinger wrote:> > Am 29.10.2021 um 13:11 schrieb Rowland Penny via samba: > > On Fri, 2021-10-29 at 12:59 +0200, Achim Gottinger via samba wrote: > > > > > Indeed, which raises the quetion can kerberos be used with > > > > > local > > > > > account? > > > > This all depends what you mean by 'local account' if you mean > > > > an > > > > account that is in /etc/passwd, then, no it will not work, > > > > because > > > > the > > > > user would be unknown to AD and hence, kerberos. > > > > > > > > Rowland > > > > > > > > > > > > > > > Hello Rowland, > > > > > > I was talking about an local account on the windows client side. > > > Authentication against the samba server is using NTLMSSP in this > > > case. I thought the file explorer may use kerberos if an valid > > > ticket > > > exists, which is not the case. Was just a wild guess. Kerberos > > > only > > > works if an domain account is used to log in on the windows > > > client. > > > > > > Achim > > > > > > https://en.wikipedia.org/wiki/Security_Support_Provider_Interface > > A 'local' user is a local user what ever the OS and as such isn't a > > domain user, so cannot use kerberos. > > > > Rowland > Well a local user can manual acquire an ticket from kerberos (kinit > [spn]) and use that so for authentification. > In fact that is what i use as the "local" root user on linux if i use > samba-tools. > > kinit administrator@[DOMAIN REALM] > samba-tools -k [whatever]The local user isn't getting a ticket here, 'Administrator' is, try running 'username@[DOMAIN REALM]' where 'username' is a local user unknown to the domain. Rowland
Dear all, sorry, I am lost with this and would be grateful for a summary. We run an active directory based on samba 4.14.7 with a print server that is configured for driver download. Connecting to printers and printing from domain-joined computers by logged-in domain users seems to work. Is this the expected behavior right now or did we just get lucky? On non domain joined computers, we experience issues even if users connect to the printserver using their domain credentials. Connecting to printers fails with the evil 0x00000709 message. Is there any known working configuration for this that does not involve uninstalling the MS updates? Like a change on the server side or a registry fix on the non domain joined computer? Thanks for any input, Christian On 29.10.2021 14:36, Rowland Penny via samba wrote:> On Fri, 2021-10-29 at 14:20 +0200, Achim Gottinger wrote: >> Am 29.10.2021 um 13:11 schrieb Rowland Penny via samba: >>> On Fri, 2021-10-29 at 12:59 +0200, Achim Gottinger via samba wrote: >>>>>> Indeed, which raises the quetion can kerberos be used with >>>>>> local >>>>>> account? >>>>> This all depends what you mean by 'local account' if you mean >>>>> an >>>>> account that is in /etc/passwd, then, no it will not work, >>>>> because >>>>> the >>>>> user would be unknown to AD and hence, kerberos. >>>>> >>>>> Rowland >>>>> >>>>> >>>>> >>>> Hello Rowland, >>>> >>>> I was talking about an local account on the windows client side. >>>> Authentication against the samba server is using NTLMSSP in this >>>> case. I thought the file explorer may use kerberos if an valid >>>> ticket >>>> exists, which is not the case. Was just a wild guess. Kerberos >>>> only >>>> works if an domain account is used to log in on the windows >>>> client. >>>> >>>> Achim >>>> >>>> https://en.wikipedia.org/wiki/Security_Support_Provider_Interface >>> A 'local' user is a local user what ever the OS and as such isn't a >>> domain user, so cannot use kerberos. >>> >>> Rowland >> Well a local user can manual acquire an ticket from kerberos (kinit >> [spn]) and use that so for authentification. >> In fact that is what i use as the "local" root user on linux if i use >> samba-tools. >> >> kinit administrator@[DOMAIN REALM] >> samba-tools -k [whatever] > The local user isn't getting a ticket here, 'Administrator' is, try > running 'username@[DOMAIN REALM]' where 'username' is a local user > unknown to the domain. > > Rowland > > >