[Samba] Deploying Samba AD into Windows / Linux / OpenLDAP / Kerberos network
Robert Marcano
robert at marcanoonline.com
Fri Jan 29 14:04:13 UTC 2021
On 1/29/21 9:54 AM, Rowland penny via samba wrote:
> On 29/01/2021 13:15, Mike via samba wrote:
>> * Kerberos: This is probably the big one. One would expect a user to be
>> able to log into either a Linux or Windows box. Is there a neat way to
>> use the same accounts? Can Samba use the existing Kerberos
>> infrastructure and indeed should it?
>
>
> Samba could use an existing KDC, but it wouldn't be AD
>
>
>> I've read that MIT kerberos
>> support in Samba is experimental, does this mean "it works but we
>> wouldn't want to stake our reputations on it" or "it doesn't work"?
>
>
> It does work, but not as fully as the built in Heimdal kerberos, there
> are several big problems, hence 'experimental'.
I am under the impression that the MIT backend for Samba AD support (the
embeeding on a KDC inside Samba) is the one that is experimental, not
basic non AD DC server support.
I use RHEL/CentOS/Fedora MIT based Samba as non DC servers with Kerberos
without problems.
>
>
>> Would a better approach be to allow Samba to manage its own Kerberos and
>> create the users in MIT kerberos and use cross-realm authentication to
>> make the users available to Linux and AD (does this work)?
>
>
> I would just let Samba be the KDC, there really is no point to two KDC's
> in a home network.
>
>
>>
>> I guess this boils down to two questions:
>>
>> 1) Should one just install Samba AD and let it handle its own stuff or
>> should one aim to backend it all with my existing BIND/LDAP/Kerberos?
>
>
> Oh yes, just install Samba, after that you don't need the separate servers.
>
>
>>
>> 2) How should one set it up so that one can create a user that can
>> seamlessly log into both Linux and Windows hosts?
>>
> Windows will just use the users & groups in AD (after you join to the
> domain) and you just install Samba on the Linux hosts and configure it
> as a Unix domain member.
>
> Any questions, just ask 😁
>
> Rowland
>
>
>
More information about the samba
mailing list