[Samba] Printserver after latest MS updates
Rowland Penny
rpenny at samba.org
Fri Oct 29 12:36:34 UTC 2021
On Fri, 2021-10-29 at 14:20 +0200, Achim Gottinger wrote:
>
> Am 29.10.2021 um 13:11 schrieb Rowland Penny via samba:
> > On Fri, 2021-10-29 at 12:59 +0200, Achim Gottinger via samba wrote:
> > > > > Indeed, which raises the quetion can kerberos be used with
> > > > > local
> > > > > account?
> > > > This all depends what you mean by 'local account' if you mean
> > > > an
> > > > account that is in /etc/passwd, then, no it will not work,
> > > > because
> > > > the
> > > > user would be unknown to AD and hence, kerberos.
> > > >
> > > > Rowland
> > > >
> > > >
> > > >
> > > Hello Rowland,
> > >
> > > I was talking about an local account on the windows client side.
> > > Authentication against the samba server is using NTLMSSP in this
> > > case. I thought the file explorer may use kerberos if an valid
> > > ticket
> > > exists, which is not the case. Was just a wild guess. Kerberos
> > > only
> > > works if an domain account is used to log in on the windows
> > > client.
> > >
> > > Achim
> > >
> > > https://en.wikipedia.org/wiki/Security_Support_Provider_Interface
> > A 'local' user is a local user what ever the OS and as such isn't a
> > domain user, so cannot use kerberos.
> >
> > Rowland
> Well a local user can manual acquire an ticket from kerberos (kinit
> [spn]) and use that so for authentification.
> In fact that is what i use as the "local" root user on linux if i use
> samba-tools.
>
> kinit administrator@[DOMAIN REALM]
> samba-tools -k [whatever]
The local user isn't getting a ticket here, 'Administrator' is, try
running 'username@[DOMAIN REALM]' where 'username' is a local user
unknown to the domain.
Rowland
More information about the samba
mailing list