Patrick Goetz
2022-Jan-10 19:46 UTC
[Samba] Samba domain members and MIT Kerberos configuration...
On 12/27/21 06:54, Marco Gaiarin via samba wrote:> > I'm working on joining some RH-based box to an AD domain, starting from this > list, the wiki and my debian knowledge. ;-) > > I'm speaking of MEMBERS, not DC! > > > I've found some info googling around, but make reference to 'realmd' and > 'oddjob' for configuration, that seems to me more 'wrappers' to help > configuration, so probably can be subsitute with more plain 'net ads > join' and 'pam_mkhomedir'. Correct? >If you have selinux turned on, pam-mkhomedir won't work. This is why RHEL created the oddjob thing. You however don't need realmd -- that's aimed at simplifying configuration. adcli works fine. You especially don't need realmd if you're going to use Samba.> > Also, i've found no specific kerberos configuration, apart the hint to add > this: > > [plugins] > > ????localauth = { > > ????????module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so > > ????????enable_only = winbind > > ????} > > (and installing samba-winbind-krb5-locator rpm package). > > > In the samba wiki i've not found some hint about mit kerberos configuration. > > > Someone have some clue? Thanks. >
Rowland Penny
2022-Jan-10 19:57 UTC
[Samba] Samba domain members and MIT Kerberos configuration...
On Mon, 2022-01-10 at 13:46 -0600, Patrick Goetz via samba wrote:> > On 12/27/21 06:54, Marco Gaiarin via samba wrote: > > I'm working on joining some RH-based box to an AD domain, starting > > from this > > list, the wiki and my debian knowledge. ;-) > > > > I'm speaking of MEMBERS, not DC! > > > > > > I've found some info googling around, but make reference to > > 'realmd' and > > 'oddjob' for configuration, that seems to me more 'wrappers' to > > help > > configuration, so probably can be subsitute with more plain 'net > > ads > > join' and 'pam_mkhomedir'. Correct? > > > > If you have selinux turned on, pam-mkhomedir won't work. This is why > RHEL created the oddjob thing. You however don't need realmd -- > that's > aimed at simplifying configuration. adcli works fine. You > especially > don't need realmd if you're going to use Samba.You do not need adcli either, just use 'net ads join' and I fail to to see how realmd would simplify configuration, red-hat seems to get smb.conf wrong whatever they do. Rowland