[Samba] Can't setup kerberos auth for samba4 server?
L.P.H. van Belle
belle at bazuin.nl
Wed Oct 16 09:39:14 UTC 2019
If this is a member server.
Just install minimal debian server + ssh.
Point dns (resolv.conf) to AD-DC.
search ada.de
nameserver IP_AD_DC
Now apt-get install samba winbind acl attr krb5-user
Keep all default, you dont need to change anything..
After the install off all packages.
systemctl stop smbd winbind (optional nmbd)
(optional : systemctl disable nmbd)
Setup the correct smb.conf for a member server
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
kinit Administrator
net ads join -k
systemctl enable smbd winbind (optional nmbd)
systemctl start smbd winbind (optional nmbd)
Enjoy, its that simple..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Thomas Schweikle via samba
> Verzonden: woensdag 16 oktober 2019 10:57
> Aan: Samba
> Onderwerp: [Samba] Can't setup kerberos auth for samba4 server?
>
> Hi!
>
> Setup: Debian, Samba 4.11
>
> After successfully setting up samba4, I want this machine to
> authenticate
> against the running samba4-server. I've created /etc/krb5.conf:
>
> [libdefaults]
> default_realm = ADA.DE <http://ada.de/>
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> fcc-mit-ticketflags = true
>
> [realms]
> ADA.DE <http://ada.de/> = {
> kdc = ad01.ada.de
> kdc = ad02.ada.de
> admin_server = ad01.ada.de
> chpasswd_server = ad01.ada.de
> default_domain = ada.de
> }
>
> [domain_realm]
> .ada.de = ADA.DE <http://ada.de/>
> ada.de = ADA.DE <http://ada.de/>
>
>
> kinit works:
> # kinit Administrator
> Passwort für Administrator at ADA.DE:
> Warnung: Ihr Passwort wird in 39 Tagen am Mo 25 Nov 2019 08:22:41 CET
> ablaufen.
> #klist
> Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
> Standard-Principal: Administrator at ADA.DE
>
> Valid starting Expires Service principal
> 16.10.2019 10:22:13 16.10.2019 20:22:13 krbtgt/ADA.DE at ADA.DE
> erneuern bis 17.10.2019 10:22:08
>
> But:
> # net ads join -k
> Host is not configured as a member server.
> Invalid configuration. Exiting....
> Failed to join domain: This operation is only allowed for the
> PDC of the
> domain.
>
> It is quite true this host is not configured as a member
> server -- it is
> the PDC! So what do I have to do to make this host use the
> running samba4
> to authenticate users? sssd fails because it cant find
> /etc/krb5.keytab.
>
> /etc/sssd/sssd.conf is set to:
> [sssd]
> services = nss, pam, autofs
> domains = ADA.DE <http://ada.de/>
> debug_level = 0x0270
>
> [domain/ADA.DE <http://ada.de/>]
> enumerate = true
> cache_credentials = True
> krb5_realm = ADA.DE <http://ada.de/>
> ldap_search_base = dc=ada,dc=de
> krb5_server = ad01.ada.de, ad02.ada.de
> id_provider = ad
> auth_provider = ad
> ldap_uri = ldap://ad01.ada.de:389/, ldap://ad02.ada.de:389/
> ldap_id_use_start_tls = True
> ldap_tls_cacertdir = /etc/openldap/cacerts
> debug_level = 0x0270
>
> [nss]
> homedir_substring = /home
> debug_level = 0x0270
>
> [pam]
> debug_level = 0x0270
>
> [sudo]
> debug_level = 0x0270
>
> [autofs]
> debug_level = 0x0270
>
> [ssh]
> debug_level = 0x0270
>
> [pac]
> debug_level = 0x0270
>
> [ifp]
> debug_level = 0x0270
>
> [secrets]
> debug_level = 0x0270
>
> [session_recording]
> debug_level = 0x0270
>
> Any hint, link, Howto would be great help!
>
> --
> Thomas
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list