[Samba] PAM only and Kerberos...

Robert Marcano robert at marcanoonline.com
Mon May 28 13:45:41 UTC 2018

On 05/28/2018 09:23 AM, Marco Gaiarin via samba wrote:
> In my old Samba/NT/OpenLDAP domains i was used to setup, on some
> specific hosts/VM, a simple authentication scheme, so i simply create
> locally (eg 'adduser') some users, and then i setupped only PAM part
> of ldap.
> Seems to me now, on Samba/AD, to use Kerberos. And seems also TOO easy!
> I've simply installed 'libpam-krb5', reply to the debconfig question
> wit the AD/Kerberos domain/realm and... voilĂ , works as expected. Cool!
> ;-)
> But, lacking some docs on samba wiki, i've some question more:
> a) i suppose that Kerberos use DNS to resolve servers; in a complex
>   setup there's some way to have kerberos use the servers from the same
>   site?
> b) i use the same setup in firewalls, that have no knowledge of
>   internal DNS. There's some way to setup kerberos authentication with
> 'no DNS'?! EG, putting some info on /etc/hosts?!

Yes, check the documentation of krb5.conf. In summary you will need to 
disable dns_canonicalize_hostname dns_lookup_kdc , etc if enabled and 
set you admin and kdc hostnames there, something like:

   kdc = kdc.example.com:88
   master_kdc = kdc.example.com:88
   admin_server = kadmin.example.com:749
   default_domain = example.com

> Thanks.

More information about the samba mailing list