[Samba] kerberos + winbind + AD authentication for samba 4 domain member

Rowland Penny rpenny at samba.org
Wed Nov 1 17:44:08 UTC 2017 

On Wed, 1 Nov 2017 17:41:14 +0100 (CET)
"k.wirski babkamedica.pl" <k.wirski at babkamedica.pl> wrote:

> Thank You,
> 
> /etc/hostname i set it myself, never seen issue with FQDN, I'll
> change it
> 
> localdomain in /etc/hosts is from the default config
> 
> this auto krb5.conf.DOMAIN - could it be, that by default samba
> builds with heimdall, and centos (as RHEL) uses MIT krb, and
> something in /etc/krb5.conf was not ok  during join, for whatever
> reason? The "auth_to_local" is MIT kerberos specific.
> 
> Also auth_to_local is used when logging to machine, and my issue with
> kinit is when mapping is done from local to UPN.
> 
> 
> I removed whole /usr/local/samba dir, installed from scratch,
> re-added to domain, recreated krb5.keytab, and issue is 100% the same.
> 
> 
> I tried changing winbind separater from default to + and changed
> krb5.conf rule accordingly, it changed nothing. Issue is not with
> kerberos for login, it works a-ok. The issue is that for whatever
> reason POSIX user is used with full name as principal. 
> 
> When i changed winbind separator, my posix user was
> "DOMAIN+kacper_wirski", and "kinit" used
> 
> DOMAIN+kacper_wirski at BMAD.BABKAMEDICA.PL as  principal.
> 
> 
> I consider setting up new machine from scratch from centos minimal
> and go from there or I'll take my risks and set "use default domain =
> yes", then everything works perfectly.
> 
> 
> Can this issue be caused by something outside this machine, and
> something wrong with the domain overall? I don't believe it, since it
> seems very local OS specific, but maybe it is?
> 

All I can say is that when I set up Fedora 26 yesterday in the way I
would set up a Devuan computer, 'kinit' works in the way you want.

You are correct in that Samba uses Heimdal rather than MIT, but this is
supplied with Samba and is only used if you compile for a DC, you
haven't.

Whilst it isn't recommended to use 'use default domain = yes' it is
used rather a lot. The only time it definitely shouldn't be used is if
you have more than one DOMAIN set in smb.conf

If it helps, I can send you the notes I made whilst setting up Fedora 26

Rowland

More information about the samba mailing list