[Samba] samba server with two kerberos realms
Rowland penny
rpenny at samba.org
Wed Mar 2 09:07:17 UTC 2016
On 01/03/16 23:16, Chad William Seys wrote:
> Hi Rowland,
>
>> Are you using sssd or nslcd ?
> I am using sssd. I can ssh into the server using credentials from either
> kerberos realm.
> E.g.
> ssh cwseys at PHYSICS.WISC.EDU@smb01.physics.wisc.edu
> (works)
> ssh seys at AD.WISC.EDU@smb01.physics.wisc.edu
> (works)
>
> PHYSICS.WISC.EDU is an MIT kerberos KDC.
> AD.WISC.EDU is a active directory KDC (etc).
>
> The reason I thought sssd would be best is because I want to use the
> /etc/passwd file for user existence and was easy to set up.
You cannot have the same user in /etc/passwd and AD i.e. user 'foo' in
/etc/passwd could, and probably would, be seen as the the AD user 'foo'.
>
> If sssd is not going to work for the overall goal of being able to use
> credentials from either Kerberos realm to authenticate, then I'm happy to
> ditch it!
I am not saying that sssd won't work for what you are trying to do, you
are just asking this in the wrong place, try the sssd-users mailing list.
>
>> Also on a domain member (this is what you have), you cannot use ' unix
>> password sync', mainly because you can have users etc in AD or in
>> /etc/passwd, but not both.
> I thought as much, but also did not remove this default from the smb.conf as
> yet. There are other mechanisms for changing passwords in the two Kerberos
> realms.
>
>> To answer your original question, no I don't think you can have two
>> 'Realms'. What you can have are trusts, I suggest you start here to see
>> how to setup smb.conf correctly:
>>
>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> I did not see anything useful for setting up authentication to multiple
> Kerberos realms or multiple trusts.
To be honest, I have never needed to do this, but I don't think you
actually authenticate to both kerberos realms, you just setup a trust
between the two realms, try a search on the internet using 'active
directory' and 'trusts'.
>
>> Sorry but it isn't a standalone server.
>>
>>> # testparm
>>> Load smb config files from /etc/samba/smb.conf
>>> Processing section "[generic]"
>>> Loaded services file OK.
>>> Server role: ROLE_DOMAIN_MEMBER
> Hmm, I also have 'server role = standalone server' in the config file, but I
> guess that has been overridden.
Just adding 'server role' to a machine you have joined to a domain isn't
going to make it a standalone server. The definition of a 'standalone
server' is a server that is not connected to a domain and holds it own
database of users, groups etc.
>
> I have run 'net ads join -U myADUser' when REALM=AD.WISC.EDU .
>
> It looks like 'net ads join' adds a machine principal into the AD.WISC.EDU
> kerberos database and into the local machine's keytab. What other config does
> it change?
It probably creates a keytab.
>
> Does 'net ads join' also override the 'server role =' in smb.conf and this
> explains why 'Server role ROLE_DOMAIN_MEMBER' instead of standalone?
Yes
Rowland
> Thanks for the help!
> Chad.
>
More information about the samba
mailing list