[Samba] samba server with two kerberos realms
Chad William Seys
cwseys at physics.wisc.edu
Tue Mar 1 23:16:33 UTC 2016
Hi Rowland,
> Are you using sssd or nslcd ?
I am using sssd. I can ssh into the server using credentials from either
kerberos realm.
E.g.
ssh cwseys at PHYSICS.WISC.EDU@smb01.physics.wisc.edu
(works)
ssh seys at AD.WISC.EDU@smb01.physics.wisc.edu
(works)
PHYSICS.WISC.EDU is an MIT kerberos KDC.
AD.WISC.EDU is a active directory KDC (etc).
The reason I thought sssd would be best is because I want to use the
/etc/passwd file for user existence and was easy to set up.
If sssd is not going to work for the overall goal of being able to use
credentials from either Kerberos realm to authenticate, then I'm happy to
ditch it!
> Also on a domain member (this is what you have), you cannot use ' unix
> password sync', mainly because you can have users etc in AD or in
> /etc/passwd, but not both.
I thought as much, but also did not remove this default from the smb.conf as
yet. There are other mechanisms for changing passwords in the two Kerberos
realms.
>
> To answer your original question, no I don't think you can have two
> 'Realms'. What you can have are trusts, I suggest you start here to see
> how to setup smb.conf correctly:
>
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
I did not see anything useful for setting up authentication to multiple
Kerberos realms or multiple trusts.
>Sorry but it isn't a standalone server.
>
>> # testparm
>> Load smb config files from /etc/samba/smb.conf
>> Processing section "[generic]"
>> Loaded services file OK.
>> Server role: ROLE_DOMAIN_MEMBER
Hmm, I also have 'server role = standalone server' in the config file, but I
guess that has been overridden.
I have run 'net ads join -U myADUser' when REALM=AD.WISC.EDU .
It looks like 'net ads join' adds a machine principal into the AD.WISC.EDU
kerberos database and into the local machine's keytab. What other config does
it change?
Does 'net ads join' also override the 'server role =' in smb.conf and this
explains why 'Server role ROLE_DOMAIN_MEMBER' instead of standalone?
Thanks for the help!
Chad.
More information about the samba
mailing list