[Samba] samba server with two kerberos realms
Chad William Seys
cwseys at physics.wisc.edu
Wed Mar 2 21:11:46 UTC 2016
> If your users are in /etc/passwd, they are *local* users, if they are
> also in AD, then the *local* user 'foo' is not the same user as 'foo' in AD.
All that matters for authentication on a kerberos KDC is that the correct
password is given for the username.
Mapping username to UID/GIDs/etc is done by the local computer and access to
files is allowed or disallowed based on the ACLs in the filesystem.
This is working just fine.
> > This works fine as I can log in with ssh using username/password from
> > either kerberos realms.
> >
> >>> If sssd is not going to work for the overall goal of being able to use
> >>> credentials from either Kerberos realm to authenticate, then I'm happy
> >>> to
> >>> ditch it!
> >>
> >> I am not saying that sssd won't work for what you are trying to do, you
> >> are just asking this in the wrong place, try the sssd-users mailing list.
> >
> > It seems to me that samba is the sticking point.
>
> No it isn't, you are
Hmm, I agree if by that you mean I am not submitting a patch so that Samba can
understand a list after REALM= . :)
> > I hope to use /etc/passwd /etc/groups as the database of user and groups,
> > not get them from active directory.
>
> Then setup up the server as a 'standalone server' and give it a
> different workgroup name, it well then be a separate WORKGROUP and you
> will then have all the problems that entails including having to keep
> users and passwords in sync with your machines.
Right, that method would be silly b/c we already have everyones' credentials
in kerberos servers. Though there is CTDB or other ways of synchronizing tdbs
as an option.
Sadly, the feature of using two or more Kerberos realms for authentication
appears not to be implemented by Samba.
> >> To be honest, I have never needed to do this, but I don't think you
> >> actually authenticate to both kerberos realms, you just setup a trust
> >> between the two realms, try a search on the internet using 'active
> >> directory' and 'trusts'.
> >
> > I think this would work, so long as the active directory admins agree to
> > add the krbtgt to their database! Crossing my fingers.
>
> I do not think what you are trying do will work, try talking to your
> active directory admins about *TRUSTS*
Yep, as long as they are agreeable, this appears to be the workaround.
Thanks again!
Chad.
More information about the samba
mailing list