Local KDC and Samba
Alexander Bokovoy
ab at samba.org
Tue Jan 21 07:50:57 UTC 2025
On Пан, 20 сту 2025, Steve French wrote:
> have you done any experiments with cifs-utils and cifs.ko?
No, we haven't yet.
cifs.upcall.c needs a bit of a rewrite. Right now it forces krb5 mech in
GSSAPI calls, that needs to be changed to use iakerb or krb5 depending
on configuration. Also, currently cifs.upcall.c does not always go
through GSSAPI and rather chooses raw kerberos API in some cases which
arguably should not be done this way if we ever want to support IAKerb
proxying.
The logic right now is the following:
- if we have no credentials identified by cifs.upcall, use GSSAPI, in a
hope that GSSAPI would pull a credential somehow
- otherwise, pull creds manually and construct a GSSAPI-like exchange
manually
The latter will not work because it assumes you direct line of sight to
KDC which is not the case with IAKerb: you only have line of sight to
SMB server and SMB server has line of sight to the KDC (be it local or
remote, doesn't matter).
>
> On Mon, Jan 20, 2025 at 2:33 AM Andreas Schneider <asn at samba.org> wrote:
> >
> > On Monday, 20 January 2025 07:11:30 CET Alexander Bokovoy via samba-technical
> > wrote:
> > > On Няд, 19 сту 2025, Steve French wrote:
> > > > Is there documentation (or example howto, walkthrough etc.) on how to
> > > > setup the new Local KDC features of Samba server?
> > > >
> > > > I wanted to try some experiments with the Linux client to make sure
> > > > the new type of krb5 mounts work fine. For the server I am using
> > > > current Samba master branch on Ubuntu.
> > >
> > > There are bits and pieces which aren't merged yet in both MIT Kerberos
> > > and Samba.
> > >
> > > Your best way of testing is by using COPR repository Andreas created for
> > > Fedora as it includes prepared packages.
> > >
> > > See https://gitlab.com/cryptomilk/localkdc and
> > > https://copr.fedorainfracloud.org/coprs/asn/localkdc/
> > >
> > > Andreas gave some insstructions in this comment:
> > > https://github.com/SSSD/sssd/issues/7723#issuecomment-2597864370
> >
> > For using IAKerb you need smbd and smbclient built from:
> >
> > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/asn-iakerb
> >
> >
> > Edit the smb.conf and add:
> >
> > include /etc/samba/localkdc.conf
> >
> > at the end of the [global] section after you ran localkdc-setup!
> >
> > You can then connect to smbd using the mdns name of the machine
> > (<hostname>.local).
> >
> > Example:
> >
> > smbclient //samba-iakerb.local//share -Uasn at SAMBA-IAKERB.LOCALKDC.SITE --use-
> > kerberos=required
> >
> >
> > Best regards
> >
> >
> > Andreas
> >
> > --
> > Andreas Schneider asn at samba.org
> > Samba Team www.samba.org
> > GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
> >
> >
>
>
> --
> Thanks,
>
> Steve
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list