[Samba] Winbind, Kerberos, SSH and Single Sign On

Andreas Hauffe andreas.hauffe at tu-dresden.de
Thu Nov 2 13:00:35 UTC 2017


Hi,

I solved my problem. For some reason the auth_to_local rule didn't work. 
When I change the krb5.conf to

[libdefaults]
         default_realm = SUBDOM2.SUBDOM1.EXAMPLE.DE
         dns_lookup_realm = true
         dns_lookup_kdc = true
         ticket_lifetime = 24h
         renew_lifetime = 7d
         forwardable = true

[realms]
    SUBDOM2.SUBDOM1.EXAMPLE.DE = {
         auth_to_local = 
RULE:[1:$0@$1](SUBDOM2\.SUBDOM1\.EXAMPLE\.DE at .*)s/\.SUBDOM1\.EXAMPLE\.DE@/+/
         auth_to_local = RULE:[1:$0@$1](EXAMPLE\.DE at .*)s/\.DE@/+/
         auth_to_local = DEFAULT
    }


everything is working. But I have no idea why it didn't work.

-- 
Regards
Andreas



Am 02.11.2017 um 11:29 schrieb Andreas Hauffe via samba:
> Hi,
>
> a new hint. If I change the default_realm in krb5.conf to EXAMPLE.DE 
> than the kerberized ssh is working for a user from example.de 
> (user1 at EXAMPLE.DE) and not working for a user from 
> subdom2.subdom1.example.de (testuser at SUBDOM2.SUBDOM1.EXAMPLE.DE)
>
> So with the actuall configuration I'm able to use kerberized ssh for 
> users from example.de or users from subdom2.subdom1.example.de but not 
> both.
>
>
>


More information about the samba mailing list