Web lists-archives.com

Re: [Samba] PAM only and Kerberos...




On 05/28/2018 09:23 AM, Marco Gaiarin via samba wrote:

In my old Samba/NT/OpenLDAP domains i was used to setup, on some
specific hosts/VM, a simple authentication scheme, so i simply create
locally (eg 'adduser') some users, and then i setupped only PAM part
of ldap.

Seems to me now, on Samba/AD, to use Kerberos. And seems also TOO easy!

I've simply installed 'libpam-krb5', reply to the debconfig question
wit the AD/Kerberos domain/realm and... voilà, works as expected. Cool!
;-)


But, lacking some docs on samba wiki, i've some question more:

a) i suppose that Kerberos use DNS to resolve servers; in a complex
  setup there's some way to have kerberos use the servers from the same
  site?

b) i use the same setup in firewalls, that have no knowledge of
  internal DNS. There's some way to setup kerberos authentication with
'no DNS'?! EG, putting some info on /etc/hosts?!


Yes, check the documentation of krb5.conf. In summary you will need to disable dns_canonicalize_hostname dns_lookup_kdc , etc if enabled and set you admin and kdc hostnames there, something like:


[realms]
 EXAMPLE.COM = {
  kdc = kdc.example.com:88
  master_kdc = kdc.example.com:88
  admin_server = kadmin.example.com:749
  default_domain = example.com
  ....
}



Thanks.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba