Dear all,
sorry, I am lost with this and would be grateful for a summary. We run
an active directory based on samba 4.14.7 with a print server that is
configured for driver download. Connecting to printers and printing from
domain-joined computers by logged-in domain users seems to work. Is this
the expected behavior right now or did we just get lucky?
On non domain joined computers, we experience issues even if users
connect to the printserver using their domain credentials. Connecting to
printers fails with the evil 0x00000709 message. Is there any known
working configuration for this that does not involve uninstalling the MS
updates? Like a change on the server side or a registry fix on the non
domain joined computer?
Thanks for any input,
Christian
On 29.10.2021 14:36, Rowland Penny via samba wrote:> On Fri, 2021-10-29 at 14:20 +0200, Achim Gottinger wrote:
>> Am 29.10.2021 um 13:11 schrieb Rowland Penny via samba:
>>> On Fri, 2021-10-29 at 12:59 +0200, Achim Gottinger via samba wrote:
>>>>>> Indeed, which raises the quetion can kerberos be used
with
>>>>>> local
>>>>>> account?
>>>>> This all depends what you mean by 'local account'
if you mean
>>>>> an
>>>>> account that is in /etc/passwd, then, no it will not work,
>>>>> because
>>>>> the
>>>>> user would be unknown to AD and hence, kerberos.
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>> Hello Rowland,
>>>>
>>>> I was talking about an local account on the windows client
side.
>>>> Authentication against the samba server is using NTLMSSP in
this
>>>> case. I thought the file explorer may use kerberos if an valid
>>>> ticket
>>>> exists, which is not the case. Was just a wild guess. Kerberos
>>>> only
>>>> works if an domain account is used to log in on the windows
>>>> client.
>>>>
>>>> Achim
>>>>
>>>>
https://en.wikipedia.org/wiki/Security_Support_Provider_Interface
>>> A 'local' user is a local user what ever the OS and as such
isn't a
>>> domain user, so cannot use kerberos.
>>>
>>> Rowland
>> Well a local user can manual acquire an ticket from kerberos (kinit
>> [spn]) and use that so for authentification.
>> In fact that is what i use as the "local" root user on linux
if i use
>> samba-tools.
>>
>> kinit administrator@[DOMAIN REALM]
>> samba-tools -k [whatever]
> The local user isn't getting a ticket here, 'Administrator' is,
try
> running 'username@[DOMAIN REALM]' where 'username' is a
local user
> unknown to the domain.
>
> Rowland
>
>
>