Web lists-archives.com

Re: [Samba] Authentification against kerberos / sssd




Am 11.12.18 um 15:36 schrieb tseegerkrb via samba:
On 11.12.18 15:23, Rowland Penny via samba wrote:
On Tue, 11 Dec 2018 15:09:39 +0100
tseegerkrb via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hello list,

a quick question. Right now I have a combination of MIT Kerberos,
OpenLDAP and SSSD for authenticating my users. Is there a way that
Samba can use this setup to perform user authentication. I only want
to access the shares of the Samba server from about 8 Windows
computers. I am aware that I cannot make an Active Directory out of
this.

The samba 3 Code supports openldap as store for users, machines, groups and other things you need.



At the moment I have stored the users in a local passdb, which works
but is very unpleasant.

This is really bad. I asume that you mean your userdb for samba are local tdb files.

Switch to ldapsam.


That is why Microsoft came up with domains ;-)

If you look at Active Directory, it is basically composed of kerberos,
ldap and dns., so you can replace your kerberos and ldap servers with a
Samba AD DC, this also come with winbind which will replace sssd.

There is just one possible fly in the ointment, you mention MIT & sssd,
is this using a red-hat OS ?
If it is, you cannot use the OS packages to create an AD DC, or if you
can (Fedora), it shouldn't be used in production.

Rowland


Hello Rowland,

thanks for your answer but I don't want to replace my kerberos & ldap
setup with an AD server. Basically I only want to control access to the
handful of Samba shares.

Your users should auth against openldap with exop control enabled. Openldap should handover the auth to kerberos. And then install slapo-smbk5pwd on your openldap server. This overlay will sync the samba passwords.


Hint: I have never used sssd and i am sure i will never do. For this classic samba setup i prefer nslcd as pam and nss provider. Winbind will also do.

If you are interesting i such a setup i am willing to help.


Thorsten

--

Harry


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba