[Samba] Samba AD DC authenticated by external Kerberos (~ Re: Samba authentication using non-AD Kerberos?)
Gaiseric Vandal
gaiseric.vandal at gmail.com
Thu Apr 27 14:35:25 UTC 2017
I currently have the following configuration:
* My "authentication" servers are Samba 4 "classic" domain controllers.
* Samba uses LDAP backend (specifically Oracle Directory Server.)
The user accounts have both unix and samba attributes.
* The authentication servers are also configured as Oracle Solaris
kerberos KDC's. The kerberos principal and password data is
also stored in LDAP.
Active directory doesn't play a role.
The result is that one user account can be used to authenticate windows
clients (joined to the domain) and unix clients (using kerberos) and
internal web sites that use LDAP authentication. The catch is that each
user actually has 3 passwords (one for kerberos, one for windows, one
for ldap.) The work around is to have the samba password sync script
change ldap and kerberos passwords at the same time a user changes his
or her windows password. Unix users will use the smbpasswd command
to change passwords.
Since I have Oracle KDC with Oracle LDAP server on Oracle Solaris OS,
integrating kerberos and LDAP is not that difficult. You still use
kadmin to manage kerberos principals. Having kerberos data in LDAP
makes replicating data between multi-master KDC's much easier.
On 04/27/17 09:22, S P Arif Sahari Wibowo via samba wrote:
> On 2017-04-27, 07:13, Gaiseric Vandal via samba wrote:
>> A Samba AD directory server (domain controller) is its own kerberos
>> server. I don't see how you could configure it to use another KDC.
>
> I don't know Kerberos much, so I am wondering can something like this
> "delegated"?
>
>> Depending on how may computers in your environment, it may be easier
>> to have the non-AD Kerberos clients use to the Samba DC as the KDC.
>
> Definitely not easier in my case. The current OpenLDAP & Kerberos
> server will definitely stay and most services will still use it. I
> need to get a way for MS Windows to mount shares from my server using
> credentials from existing OpenLDAP & Kerberos authentication system.
>
> Thank you.
>
More information about the samba
mailing list