Re: [Samba] kerberos + winbind + AD authentication for samba 4 domain member
- Date: Tue, 31 Oct 2017 22:20:14 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] kerberos + winbind + AD authentication for samba 4 domain member
On Tue, 31 Oct 2017 22:46:53 +0100
Kacper Wirski via samba <samba@xxxxxxxxxxxxxxx> wrote:
> I'm setting up AD user logins for centos 7.4 box. I've almost managed
> to do everything the way I want and the way I think it should be, but
> I'm missing last piece:
> For ssh access I read parts of the
> Most docs recommend using setting in smb.conf:
> winbind use default domain = no
> that means that all domain users have DOMAIN\ prefix attached. As per
> the aforementioned wiki documet I made the workaround for
> authentication to krb5.conf, and it works OK.
> What isn't working is "kinit" as-is for logged in AD user. To be more
> precise: it works if I specify explicitly username
> kinit myusername
> kinit mysusername@xxxxxxxxxxxxx
> It works as expected (asks for password and grants ticket)
> otherwise plain "kinit" uses by default posix username, which in
> this case is DOMAIN\myusername, so it looks for:
> DOMAINmyusername@xxxxxxxxxxxxx and fails with no principle found in
> database (and rightly so), because obviously it should use
> I know it's not strictly samba related, and I could simply change
> winbind use default domain = yes
> as a workaround, this way everything works as expected, except that
> in all docs it's described as not recommended setup, because of
> possible confusion which user is from DOMAIN and which is local, and
> of course when multiple domains come into play.
> So maybe someone knows of a valid workaorund, how to force kinit to
> automatically remove/strip DOMAIN prefix from e.g.
> DOMAINmyusername@xxxxxxxxxxxxx and change it into
> myusername@xxxxxxxxxxxxx? My understanding is that krb5.conf
> "auth_to_local" works the other way around, so it takes valid
> principal, and rewrites it so that it matches posix user and won't
> work in this case,as it's the other way round (posix user has to be
> translated into valid principal).
> My environment is:
> centos 7.4 OS
> samba 4.5.x is the AD DC
> samba 4.6.9 is domain member server and all tests are done on this
> As i said, kerberos overall works fine, and it's not strictly samba
> issue, but the issue is because of samba configuration and added
> DOMAIN prefix.
> Any help/input/comments are appreciated.
> Regards, Kacper
You have something set up incorrectly, if I log into a Unix domain
member and run 'kinit', it works:
Password for rowland@xxxxxxxxxxxxxxxxxx:
It also works on a DC.
Can you post the following files:
To unsubscribe from this list go to the following URL and read the