[Samba] Kerberos authentication when accessing samba domain member when PDC is also samba

[Anton Starikov]

Hi!

I have next setup:

PDC: Samba 3.0.25b-apple, Mac OS X 10.5.8 server. (Lets call it Serv2)
Machines can join domain. Clients can use kerberos to authenticate. Everything works pretty good.

Domain member: Samba 3.2.7-11.4.1-2210-SUSE-CODE11, OpenSUSE 11.1. (Lets call it Serv2)
this server joined domain. Clients can connets, server authenticate clients on domain controller, everything good, with one exception. Clients can't use kerberos authentication when they access Serv2. Serv2 unable to check validity of tickets.

Is it possible to have such config working (samba domain members accept kerberos authentication) without Windows-based ADS?

Here I provide effective [global] section for both servers

Serv1:
Server role: ROLE_DOMAIN_PDC
[global]
        dos charset = 437
        unix charset = UTF-8-MAC
        display charset = UTF-8-MAC
        workgroup = MY_DOMAIN
        realm = XX.MY.REALM.HERE
        server string = PDC
        auth methods = guest, odsam
        map to guest = Bad User
        obey pam restrictions = Yes
        passdb backend = odsam
        lanman auth = No
        use kerberos keytab = Yes
        log level = 2
        debug pid = Yes
        max xmit = 131072
        name resolve order = lmhosts wins bcast host
        max smbd processes = 100
        printcap name = cups
        add user script = /usr/bin/opendirectorypdbconfig -c create_user_account -r %u -n /LDAPv3/127.0.0.1
        add machine script = /usr/bin/opendirectorypdbconfig -c create_computer_account -r %u -n /LDAPv3/127.0.0.1
        logon script = logon.cmd
        logon path = XXX
        logon drive = XXX
        logon home = XXX
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins server = 130.89.4.21
        usershare path = /var/samba/shares
        idmap domains = default
        idmap alloc backend = odsam
        idmap negative cache time = 5
        com.apple:filter shares by access = yes
        darwin_streams:brlm = yes
        idmap config default:backend = odsam
        idmap config default:default = yes
        acl check permissions = No
        ea support = Yes
        stream support = Yes
        use sendfile = Yes
        printing = cups
        print command = 
        lpq command = %p
        lprm command = 
        include = /var/db/smb.conf
        vfs objects = darwinacl, darwin_streams

Serv2:
Server role: ROLE_DOMAIN_MEMBER
[global]
        workgroup = MY_DOMAIN
        realm = XX.MY.REALM.HERE
        server string = file-server
        security = domain
        map to guest = Bad User
        password server = my.pdc.hostname.here
        log file = /var/log/samba/log.%m.%U
        printcap name = cups
        add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
        domain master = No
        wins server = wins_servers_here
        winbind use default domain = Yes
        cups options = raw
        include = /etc/samba/dhcp.conf

 
I tried to put "security = ADS" for Serv2, but it doesn't change a lot. And, obviously, you can't "net ads join" on Serv2. Because Serv1 isn't really ADS.

Does anyone have ideas how to get this setup working? I'm pretty sure there should be some magical trick! Cause Serv1 definitely can accept krb5 tickets, and Serv2 able to use this method, at least in case of ADS controller above.

Of course I can try to work it different way (put security=USER for Serv2 and spend days and hours trying to get it authorize against open-directory, but I would rather prefer to stick to "domain" concept).

Anton.