[Samba] Kerberos-only login with multiple domains and/or UPN...
L.P.H. van Belle
belle at bazuin.nl
Fri Dec 31 11:27:19 UTC 2021
Short version of you question, yes, you can..
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marco Gaiarin via samba
> Verzonden: vrijdag 31 december 2021 11:54
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Kerberos-only login with multiple domains
> and/or UPN...
> I'm googling around but i found reference to SSSD only, not
> plain kerberos setup.
> Situation: AD forest, composed by forest tree and 4 more
> domains; in two of
> that some administrative users exist, supposing:
> SITE1.AD.SHORT.DOM\admin1 (UPN: admin1 at LONGDOMAIN.DOM)
> SITE2.AD.SHORT.DOM\admin2 (UPN: admin2 at LONGDOMAIN.DOM)
> In some very specific box we need ssh access only for admins; so i've
> created locally (eg: in /etc/passwd) 'admin1' and 'admin2' and setup
> Kerberos and pam_krb5. The purpose is to enable auth to the
> domain without setting up samba/winbind.
> In single domain setup (eg 'default_realm = SITE1.AD.SHORT.DOM' or
> '= SITE2.AD.SHORT.DOM') it works, but clearly only admin of
> that domain can auth.
> I've tried to setup multiple realms and use 'auth_to_local'
> rules, but i was
> not able to make it work: 'auth_to_local' seems not to work,
> and if default
> realm is 'SITE1.AD.SHORT.DOM' and i try login with
> 'SITE2.AD.SHORT.DOM/admin2', still 'SITE1.AD.SHORT.DOM' are looked up.
> I'm also curious if it is possible to auth directly with UPN,
> in kerberos.
> Thanks. And good new year's eve. ;)
If you only need it for Admin access.
This is how i did it.
I have 1 linux account that has sudo rights. ( its not used normaly only for admin if windows/samba fails )
I have a windows group (with GID assigned), that is in the sshd config.
And I have few windows users in the windows group.
The linux acount goes like normal.
The windows account use SSO logins with kerberos.
# Allow groups the windows and linux group
AllowGroups Allow-Win2LinuxAdmins-SSH local-admins
# And the options i use for kerberos.
# GSSAPI options
( offcourse on debian )
You also need krb5-users
And run pam-auth-update
Test it with kinit username
Should be sufficient.
More information about the samba