[Samba] Kerberos authentication when accessing samba domain member when PDC is also samba
Anton Starikov
ant.starikov at gmail.com
Tue Dec 15 12:22:21 MST 2009
Hi!
I have next setup:
PDC: Samba 3.0.25b-apple, Mac OS X 10.5.8 server. (Lets call it Serv2)
Machines can join domain. Clients can use kerberos to authenticate. Everything works pretty good.
Domain member: Samba 3.2.7-11.4.1-2210-SUSE-CODE11, OpenSUSE 11.1. (Lets call it Serv2)
this server joined domain. Clients can connets, server authenticate clients on domain controller, everything good, with one exception. Clients can't use kerberos authentication when they access Serv2. Serv2 unable to check validity of tickets.
Is it possible to have such config working (samba domain members accept kerberos authentication) without Windows-based ADS?
Here I provide effective [global] section for both servers
Serv1:
Server role: ROLE_DOMAIN_PDC
[global]
dos charset = 437
unix charset = UTF-8-MAC
display charset = UTF-8-MAC
workgroup = MY_DOMAIN
realm = XX.MY.REALM.HERE
server string = PDC
auth methods = guest, odsam
map to guest = Bad User
obey pam restrictions = Yes
passdb backend = odsam
lanman auth = No
use kerberos keytab = Yes
log level = 2
debug pid = Yes
max xmit = 131072
name resolve order = lmhosts wins bcast host
max smbd processes = 100
printcap name = cups
add user script = /usr/bin/opendirectorypdbconfig -c create_user_account -r %u -n /LDAPv3/127.0.0.1
add machine script = /usr/bin/opendirectorypdbconfig -c create_computer_account -r %u -n /LDAPv3/127.0.0.1
logon script = logon.cmd
logon path = XXX
logon drive = XXX
logon home = XXX
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins server = 130.89.4.21
usershare path = /var/samba/shares
idmap domains = default
idmap alloc backend = odsam
idmap negative cache time = 5
com.apple:filter shares by access = yes
darwin_streams:brlm = yes
idmap config default:backend = odsam
idmap config default:default = yes
acl check permissions = No
ea support = Yes
stream support = Yes
use sendfile = Yes
printing = cups
print command =
lpq command = %p
lprm command =
include = /var/db/smb.conf
vfs objects = darwinacl, darwin_streams
Serv2:
Server role: ROLE_DOMAIN_MEMBER
[global]
workgroup = MY_DOMAIN
realm = XX.MY.REALM.HERE
server string = file-server
security = domain
map to guest = Bad User
password server = my.pdc.hostname.here
log file = /var/log/samba/log.%m.%U
printcap name = cups
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
domain master = No
wins server = wins_servers_here
winbind use default domain = Yes
cups options = raw
include = /etc/samba/dhcp.conf
I tried to put "security = ADS" for Serv2, but it doesn't change a lot. And, obviously, you can't "net ads join" on Serv2. Because Serv1 isn't really ADS.
Does anyone have ideas how to get this setup working? I'm pretty sure there should be some magical trick! Cause Serv1 definitely can accept krb5 tickets, and Serv2 able to use this method, at least in case of ADS controller above.
Of course I can try to work it different way (put security=USER for Serv2 and spend days and hours trying to get it authorize against open-directory, but I would rather prefer to stick to "domain" concept).
Anton.
More information about the samba
mailing list