[Samba] Minimum footprint for authenticating CIFS shares with Kerberos

[Dorian Taylor (Lists)]

> On Jan 22, 2021, at 11:56 AM, Rowland penny via samba <samba at lists.samba.org> wrote:

> You do realise that they are the main components of AD.

I do! And they are working just fine and I would prefer not to get rid of them, because they are already configured and I am using them for things.

> No such thing, there is an AD DC and an NT4-style PDC, but they are totally different things 😁

Thank you for apprising me of the correct terminology.

> I take it you haven't read any AD documentation 😮

I’m awash in documentation. For the record it isn’t obvious from the outside that Samba has to manage all of those services internally and not avail itself of existing resources.

> This is because you now use 'samba-ad-dc' to start the Samba AD DC and 'smbd', 'nmbd' and 'winbind' to start the daemons for a Unix domain member.

Yeah, thanks, I found that shortly after sending.

> Easy, turn off your ldap server, KDC and DNS server, then start your AD DC with 'systemctl start samba-ad-dc', though you will probably have to unmask it first.

Perhaps the question I should have asked is “how closely-coupled is using Kerberos to authenticate to a Samba share to the whole AD ball of wax?“, but it looks like the answer is “It’s all or nothing, baby.”

Regards,

--
Dorian Taylor
Make things. Make sense.
https://doriantaylor.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.samba.org/pipermail/samba/attachments/20210122/a4042849/signature.sig>