[Samba] Kerberos-only login with multiple domains and/or UPN...
Marco Gaiarin
gaio at lilliput.linux.it
Fri Dec 31 10:54:14 UTC 2021
I'm googling around but i found reference to SSSD only, not plain kerberos
setup.
Situation: AD forest, composed by forest tree and 4 more domains; in two of
that some administrative users exist, supposing:
SITE1.AD.SHORT.DOM\admin1 (UPN: admin1 at LONGDOMAIN.DOM)
SITE2.AD.SHORT.DOM\admin2 (UPN: admin2 at LONGDOMAIN.DOM)
In some very specific box we need ssh access only for admins; so i've
created locally (eg: in /etc/passwd) 'admin1' and 'admin2' and setup
Kerberos and pam_krb5. The purpose is to enable auth to the domain without
setting up samba/winbind.
In single domain setup (eg 'default_realm = SITE1.AD.SHORT.DOM' or
'= SITE2.AD.SHORT.DOM') it works, but clearly only admin of that domain can
auth.
I've tried to setup multiple realms and use 'auth_to_local' rules, but i was
not able to make it work: 'auth_to_local' seems not to work, and if default
realm is 'SITE1.AD.SHORT.DOM' and i try login with
'SITE2.AD.SHORT.DOM/admin2', still 'SITE1.AD.SHORT.DOM' are looked up.
I'm also curious if it is possible to auth directly with UPN, in kerberos.
Thanks. And good new year's eve. ;)
--
Io chiedo quando sara` che l'uomo potra` imparare
a vivere senza ammazzare e il vento si posera` (F. Guccini)
More information about the samba
mailing list