[Samba] Samba AD DC authenticated by external Kerberos (~ Re: Samba authentication using non-AD Kerberos?)
Andrew Bartlett
abartlet at samba.org
Thu Apr 27 19:18:11 UTC 2017
On Thu, 2017-04-27 at 07:22 -0600, S P Arif Sahari Wibowo via samba
wrote:
> On 2017-04-27, 07:13, Gaiseric Vandal via samba wrote:
> > A Samba AD directory server (domain controller) is its own
> > kerberos server. I don't see how you could configure it to use
> > another KDC.
>
> I don't know Kerberos much, so I am wondering can something like
> this "delegated"?
This is the (unimplemented) 'MIT Trust' I described earlier.
> > Depending on how may computers in your environment, it may be
> > easier to have the non-AD Kerberos clients use to the Samba DC
> > as the KDC.
>
> Definitely not easier in my case. The current OpenLDAP &
> Kerberos server will definitely stay and most services will
> still use it. I need to get a way for MS Windows to mount shares
> from my server using credentials from existing OpenLDAP &
> Kerberos authentication system.
Then I don't really see a practical way out. I'm surprised you lasted
so long into 2017 with the Windows clients unconnected to this system
(this isn't really a Samba issue at this point), but the infinite
variety in IT systems in this world never ceases to amaze me.
I wish you the very best with your deployment, however you choose to
handle it.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list