Rowland Penny
2022-Feb-03 13:17 UTC
[Samba] Failing authentication when PAC present in kerberos service ticket
On Thu, 2022-02-03 at 14:55 +0200, Ahti Seier via samba wrote:> Hello, > > We have been running samba in standalone mode (security = user) > with > kerberos authentication. > So I was wondering. What benefits will I actually get from running > winbind instead of having NSS on the hosts resolve users and groups? > > Or am ai going about this a wrong way? Is there a better way to > authenticate AD users to a non-ad joined host?I do not understand why you are running Freeipa and AD, they both do basically the same thing, I also do not understand why you are using standalone servers in an AD/freeipa domain. The benefits you will get from turning your standalone servers into Unix domain members are, ACL support and NTLM fallback. I think we need a bit more info, why do you need to run standalone servers ? Rowland
Ahti Seier
2022-Feb-03 13:38 UTC
[Samba] Failing authentication when PAC present in kerberos service ticket
As far as I know freeIPA and AD do similar things to different entities. Windows hosts, including workstations are joined to Active Directory and centrally managed by Microsoft tools. Cannot do that with freeIPA. Linux servers are joined to freeIPA. This allows us to control service access (including samba), sudo rights, ssh keys, certificates etc. from a central location (freeIPA). AD as far as I know does not allow us to do this for linux hosts (not without a custom schema anyway). As I mentioned before there is a kerberos trust between freeIPA and AD. So AD users on their windows workstations can access services hosted on linux hosts in a different kerberos realm. Most users are like this, very few users are in freeIPA domain. Samba is run in standalone mode because I cannot join it to AD domain with the hostname it has. That DNS domain has a diffrent kerberos realm mapped and it just would not work. Also there does not seem to be an easy way having samba join freeIPA domain. Kontakt Rowland Penny via samba (<samba at lists.samba.org>) kirjutas kuup?eval N, 3. veebruar 2022 kell 15:18:> On Thu, 2022-02-03 at 14:55 +0200, Ahti Seier via samba wrote: > > Hello, > > > > We have been running samba in standalone mode (security = user) > > with > > kerberos authentication. > > So I was wondering. What benefits will I actually get from running > > winbind instead of having NSS on the hosts resolve users and groups? > > > > Or am ai going about this a wrong way? Is there a better way to > > authenticate AD users to a non-ad joined host? > > I do not understand why you are running Freeipa and AD, they both do > basically the same thing, I also do not understand why you are using > standalone servers in an AD/freeipa domain. > > The benefits you will get from turning your standalone servers into > Unix domain members are, ACL support and NTLM fallback. > > I think we need a bit more info, why do you need to run standalone > servers ? > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >