Web lists-archives.com

Re: [Samba] Samba AD DC authenticated by external Kerberos (~ Re: Samba authentication using non-AD Kerberos?)




I currently have the following configuration:


 * My "authentication" servers are  Samba 4 "classic" domain controllers.
* Samba uses LDAP backend (specifically Oracle Directory Server.) The user accounts have both unix and samba attributes. * The authentication servers are also configured as Oracle Solaris kerberos KDC's. The kerberos principal and password data is
   also  stored in LDAP.


Active directory doesn't play a role.

The result is that one user account can be used to authenticate windows clients (joined to the domain) and unix clients (using kerberos) and internal web sites that use LDAP authentication. The catch is that each user actually has 3 passwords (one for kerberos, one for windows, one for ldap.) The work around is to have the samba password sync script change ldap and kerberos passwords at the same time a user changes his or her windows password. Unix users will use the smbpasswd command to change passwords.


Since I have Oracle KDC with Oracle LDAP server on Oracle Solaris OS, integrating kerberos and LDAP is not that difficult. You still use kadmin to manage kerberos principals. Having kerberos data in LDAP makes replicating data between multi-master KDC's much easier.






On 04/27/17 09:22, S P Arif Sahari Wibowo via samba wrote:
On 2017-04-27, 07:13, Gaiseric Vandal via samba wrote:
A Samba AD directory server (domain controller) is its own kerberos server. I don't see how you could configure it to use another KDC.

I don't know Kerberos much, so I am wondering can something like this "delegated"?

Depending on how may computers in your environment, it may be easier to have the non-AD Kerberos clients use to the Samba DC as the KDC.

Definitely not easier in my case. The current OpenLDAP & Kerberos server will definitely stay and most services will still use it. I need to get a way for MS Windows to mount shares from my server using credentials from existing OpenLDAP & Kerberos authentication system.

Thank you.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba