[Samba] Failing authentication when PAC present in kerberos service ticket

Rowland Penny rpenny at samba.org
Thu Feb 3 13:17:44 UTC 2022


On Thu, 2022-02-03 at 14:55 +0200, Ahti Seier via samba wrote:
> Hello,
> 
>   We have been running samba in standalone mode (security = user)
> with
> kerberos authentication. 
>   So I was wondering. What benefits will I actually get from running
> winbind instead of  having NSS on the hosts resolve users and groups?
> 
>   Or am ai going about this a wrong way? Is there a better way to
> authenticate AD users to a non-ad joined host?

I do not understand why you are running Freeipa and AD, they both do
basically the same thing, I also do not understand why you are using
standalone servers in an AD/freeipa domain.

The benefits you will get from turning your standalone servers into
Unix domain members are, ACL support and NTLM fallback.

I think we need a bit more info, why do you need to run standalone
servers ?

Rowland





More information about the samba mailing list