[Samba] kerberos + winbind + AD authentication for samba 4 domain member
- Date: Tue, 31 Oct 2017 22:46:53 +0100
- From: Kacper Wirski via samba <samba@xxxxxxxxxxxxxxx>
- Subject: [Samba] kerberos + winbind + AD authentication for samba 4 domain member
I'm setting up AD user logins for centos 7.4 box. I've almost managed to
do everything the way I want and the way I think it should be, but I'm
missing last piece:
For ssh access I read parts of the
Most docs recommend using setting in smb.conf:
winbind use default domain = no
that means that all domain users have DOMAIN\ prefix attached. As per
the aforementioned wiki documet I made the workaround for authentication
to krb5.conf, and it works OK.
What isn't working is "kinit" as-is for logged in AD user. To be more
precise: it works if I specify explicitly username
It works as expected (asks for password and grants ticket)
otherwise plain "kinit" uses by default posix username, which in this
case is DOMAIN\myusername, so it looks for:
DOMAINmyusername@xxxxxxxxxxxxx and fails with no principle found in
database (and rightly so), because obviously it should use
I know it's not strictly samba related, and I could simply change
winbind use default domain = yes
as a workaround, this way everything works as expected, except that in
all docs it's described as not recommended setup, because of possible
confusion which user is from DOMAIN and which is local, and of course
when multiple domains come into play.
So maybe someone knows of a valid workaorund, how to force kinit to
automatically remove/strip DOMAIN prefix from e.g.
DOMAINmyusername@xxxxxxxxxxxxx and change it into
myusername@xxxxxxxxxxxxx? My understanding is that krb5.conf
"auth_to_local" works the other way around, so it takes valid principal,
and rewrites it so that it matches posix user and won't work in this
case,as it's the other way round (posix user has to be translated into
My environment is:
centos 7.4 OS
samba 4.5.x is the AD DC
samba 4.6.9 is domain member server and all tests are done on this machine.
As i said, kerberos overall works fine, and it's not strictly samba
issue, but the issue is because of samba configuration and added DOMAIN
Any help/input/comments are appreciated.
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
To unsubscribe from this list go to the following URL and read the