[Samba] pam_winbind stops working when use_krb5 is enabled
cn at brain-biotech.de
cn at brain-biotech.de
Fri Feb 26 06:22:58 UTC 2021
Hello Tim,
I can confirm that joining with Samba works on Centos 8. We have 5 DCs
and member servers running on 8.
The only thing I have run after the join is this:
authselect select winbind --force
in nsswitch.conf I have this then:
passwd: files winbind systemd
group: files winbind systemd
And it works.
I can log in using krb by ssh. SMB works by krb also.
Successful AuthZ: [SMB2,krb5] user [DOMAIN-02]\[XX]
[S-1-5-21-XXXXXXX-XXXXX-XXXXX-XXXXX].
However, I am not sure how this all works together.
Regards
Am 26.02.21 um 05:20 schrieb Tim Miller via samba:
> Thanks for everyone who has weighed in on this. Very annoying that Red Hat
> decided to do away with pam_krb5. Based on what I'm reading (both here and
> in other places), the preferred solution is to use realmd to join to a
> domain rather than samba, which isn't really what I want at all :-). Red
> Hat does provide instructions for using Samba to join a domain and using
> SSSD to handle the authentication, but I don't have a RHEL 7 system handy
> to try them on, so I can't speak for whether or not they work.
>
> I do have one question about using pam_krb5 (or pam_sss, if such a thing
> would ever be possible). Is the basic idea to use pam_krb5 (or pam_sss) to
> get the Kerberos ticket, which pam_winbind would then use to authenticate
> the user? Based on the description of the "krb5_auth" parameter in the
> pam_winbind man page, I thought that the notion is that pam_winbind would
> go off to the DC and get the Kerberos ticket for me, decrypt it using my
> password, and then stuff it into whatever ticket cache I've configured. But
> if we're actually getting the ticket via pam_krb5, then I've clearly
> misunderstood what role pam_winbind is playing in the whole authentication
> operation.
>
> Thanks again for everyone's assistance here!
> Tim
>
> On Thu, Feb 25, 2021 at 10:55 AM Rowland penny via samba <
> samba at lists.samba.org> wrote:
>
>> On 25/02/2021 15:41, cn--- via samba wrote:
>>> Am 25.02.21 um 14:35 schrieb Rowland penny via samba:
>>>
>>>>
>>>> You need pam-krb5, which I believe Red-hat has removed in RHEL 8
>>>
>>> You can do it this way:
>>>
>>> https://access.redhat.com/solutions/4256011
>>>
>>> The account is free but you need to log in.
>>
>>
>> I have a red-hat account but I can never see anything, but I take it
>> that it is the same as this:
>>
>> https://sssd.io/docs/users/pam_krb5_migration.html
>>
>> If it is, then you are shooting yourself in the foot, the first thing
>> you would have to do is to remove Samba as you cannot use sssd with Samba.
>>
>> Rowland
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
--
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11
Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender),
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
More information about the samba
mailing list