Web lists-archives.com

Re: [Samba] Winbind, Kerberos, SSH and Single Sign On




Hi,

I solved my problem. For some reason the auth_to_local rule didn't work. When I change the krb5.conf to

[libdefaults]
        default_realm = SUBDOM2.SUBDOM1.EXAMPLE.DE
        dns_lookup_realm = true
        dns_lookup_kdc = true
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true

[realms]
   SUBDOM2.SUBDOM1.EXAMPLE.DE = {
        auth_to_local = RULE:[1:$0@$1](SUBDOM2\.SUBDOM1\.EXAMPLE\.DE@.*)s/\.SUBDOM1\.EXAMPLE\.DE@/+/
        auth_to_local = RULE:[1:$0@$1](EXAMPLE\.DE@.*)s/\.DE@/+/
        auth_to_local = DEFAULT
   }


everything is working. But I have no idea why it didn't work.

--
Regards
Andreas



Am 02.11.2017 um 11:29 schrieb Andreas Hauffe via samba:
Hi,

a new hint. If I change the default_realm in krb5.conf to EXAMPLE.DE than the kerberized ssh is working for a user from example.de (user1@xxxxxxxxxx) and not working for a user from subdom2.subdom1.example.de (testuser@xxxxxxxxxxxxxxxxxxxxxxxxxx)

So with the actuall configuration I'm able to use kerberized ssh for users from example.de or users from subdom2.subdom1.example.de but not both.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba