[Samba] kerberos + winbind + AD authentication for samba 4 domain member

[Rowland Penny]

On Wed, 1 Nov 2017 22:00:59 +0100
Kacper Wirski <kacper.wirski at gmail.com> wrote:

> Ok, at least I know that it's not the fault of my configuration.
> 
> I was hoping that there may be some kerberos/kinit option to modify
> systemwide default principal pattern, or maybe something could be
> done with how winbind presents AD users to local OS while still..
> Can't have everything it seems.
> 
> In this case there are is my follow-up question:
> - how will this work on DC's? I konw that winbind is integrated into
> main "samba" process. I don't have test-dc right now and I can't test
> it, but is at all possible to set "use defaultl domain = yes" on
> samba DC and not impair anything? On the DC's it's not as important
> to me, as only few actual domain users will ever actually log there
> (only admins), but still I'd rather have as much consistency across
> all systems, as possible\
> 
> Regards,
> Kacper
> 

This is one thing that was throwing me, 'winbind use default domain =
yes' has no effect on a DC.

But:

SAMDOM\rowland at dc3:~$ whoami
SAMDOM\rowland
SAMDOM\rowland at dc3:~$ kinit
Password for rowland at SAMDOM.EXAMPLE.COM: 
SAMDOM\rowland at dc3:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_g4wijO
Default principal: rowland at SAMDOM.EXAMPLE.COM

Like a lot of things, it works differently on a DC

Rowland