igor noredinoski
2025-Apr-09 13:49 UTC
[Samba] Samba 4.2.15 and MIT Kerberos External Authentication
>>* The local on*>>* site domain is a realm that has a list of usernames and samba *>>* accounts but authentication is off loaded onto an external realm and *>>* there is a one way trust relationship where the local samba server *>>* trusts the external realm -- all that is required is that there is a *>>* local username and username map on local samba server. *> Sorry, but if you are running Samba as an AD DC, it must be the point of > truth, it must hold all the AD records and your AD domain clients must > use it for authentication.Thank you. In this case what I am attempting to do is use the experimental features of the server where the point of truth is the Samba ADC for the local domain but the password authentication for users is pulled from an external Kerberos realm. What we are trying to do is integrate into the corporate Kerberos environment and will later try to setup MFA from it. The end goal is, sysadmin creates a new user account , username only, that is created and approved on local Samba ADC. When the user logs in, they use their corporate credentials and then also use an MFA device such as a smartphone, or what not, to login on the workstation. (The MFA integration I will tackle later). At present, kinit works for foo at DEPARTMENT.LOCAL and foo at COMPANY.COM fine from command line.
Rowland Penny
2025-Apr-09 14:40 UTC
[Samba] Samba 4.2.15 and MIT Kerberos External Authentication
On Wed, 9 Apr 2025 09:49:32 -0400 igor noredinoski via samba <samba at lists.samba.org> wrote:> >>* The local on > *>>* site domain is a realm that has a list of usernames and samba > *>>* accounts but authentication is off loaded onto an external realm > and *>>* there is a one way trust relationship where the local samba > server *>>* trusts the external realm -- all that is required is that > there is a *>>* local username and username map on local samba server. > * > > Sorry, but if you are running Samba as an AD DC, it must be the > > point of truth, it must hold all the AD records and your AD domain > > clients must use it for authentication. > > Thank you. In this case what I am attempting to do is use the > experimental features of the server where the point of truth is the > Samba ADC for the local domain but the password authentication for > users is pulled from an external Kerberos realm. What we are trying > to do is integrate into the corporate Kerberos environment and will > later try to setup MFA from it. > > The end goal is, sysadmin creates a new user account , username only, > that is created and approved on local Samba ADC. When the user logs > in, they use their corporate credentials and then also use an MFA > device such as a smartphone, or what not, to login on the > workstation. (The MFA integration I will tackle later).Not sure this is going to work, normally your users etc from domain_A will have to fully exist on the the domain_A DC, you will then have to have a trust between domain_A and domain_B, this will then allow users from one domain to logon via the other, this has nothing to do with the kerberos kdc. Rowland