[Samba] PAM only and Kerberos...
Robert Marcano
robert at marcanoonline.com
Mon May 28 13:45:41 UTC 2018
On 05/28/2018 09:23 AM, Marco Gaiarin via samba wrote:
>
> In my old Samba/NT/OpenLDAP domains i was used to setup, on some
> specific hosts/VM, a simple authentication scheme, so i simply create
> locally (eg 'adduser') some users, and then i setupped only PAM part
> of ldap.
>
> Seems to me now, on Samba/AD, to use Kerberos. And seems also TOO easy!
>
> I've simply installed 'libpam-krb5', reply to the debconfig question
> wit the AD/Kerberos domain/realm and... voilĂ , works as expected. Cool!
> ;-)
>
>
> But, lacking some docs on samba wiki, i've some question more:
>
> a) i suppose that Kerberos use DNS to resolve servers; in a complex
> setup there's some way to have kerberos use the servers from the same
> site?
>
> b) i use the same setup in firewalls, that have no knowledge of
> internal DNS. There's some way to setup kerberos authentication with
> 'no DNS'?! EG, putting some info on /etc/hosts?!
>
Yes, check the documentation of krb5.conf. In summary you will need to
disable dns_canonicalize_hostname dns_lookup_kdc , etc if enabled and
set you admin and kdc hostnames there, something like:
[realms]
EXAMPLE.COM = {
kdc = kdc.example.com:88
master_kdc = kdc.example.com:88
admin_server = kadmin.example.com:749
default_domain = example.com
....
}
>
> Thanks.
>
More information about the samba
mailing list