[Samba] Kerberos-only login with multiple domains and/or UPN...

L.P.H. van Belle belle at bazuin.nl
Fri Dec 31 11:27:19 UTC 2021

Hai Marco, 

Short version of you question, yes, you can.. 
More below. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: vrijdag 31 december 2021 11:54
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Kerberos-only login with multiple domains 
> and/or UPN...
> I'm googling around but i found reference to SSSD only, not 
> plain kerberos setup.
> Situation: AD forest, composed by forest tree and 4 more 
> domains; in two of
> that some administrative users exist, supposing:
>  SITE1.AD.SHORT.DOM\admin1		(UPN: admin1 at LONGDOMAIN.DOM)
>  SITE2.AD.SHORT.DOM\admin2		(UPN: admin2 at LONGDOMAIN.DOM)
> In some very specific box we need ssh access only for admins; so i've
> created locally (eg: in /etc/passwd) 'admin1' and 'admin2' and setup
> Kerberos and pam_krb5. The purpose is to enable auth to the 
> domain without setting up samba/winbind.
> In single domain setup (eg 'default_realm = SITE1.AD.SHORT.DOM' or
> '= SITE2.AD.SHORT.DOM') it works, but clearly only admin of 
> that domain can auth.
> I've tried to setup multiple realms and use 'auth_to_local' 
> rules, but i was
> not able to make it work: 'auth_to_local' seems not to work, 
> and if default
> realm is 'SITE1.AD.SHORT.DOM' and i try login with
> 'SITE2.AD.SHORT.DOM/admin2', still 'SITE1.AD.SHORT.DOM' are looked up.
> I'm also curious if it is possible to auth directly with UPN, 
> in kerberos.
> Thanks. And good new year's eve. ;)

If you only need it for Admin access. 
This is how i did it. 

I have 1 linux account that has sudo rights. ( its not used normaly only for admin if windows/samba fails ) 
I have a windows group (with GID assigned), that is in the sshd config. 
 And I have few windows users in the windows group. 

The linux acount goes like normal. 
The windows account use SSO logins with kerberos. 

In sshd_config 

# Allow groups the windows and linux group
AllowGroups Allow-Win2LinuxAdmins-SSH local-admins

# And the options i use for kerberos. 
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes

( offcourse on debian ) 
You also need krb5-users
And run pam-auth-update

Test it with kinit username 
Should be sufficient. 



More information about the samba mailing list