[Samba] Failing authentication when PAC present in kerberos service ticket

Ahti Seier ahti.seier at gmail.com
Thu Feb 3 13:38:29 UTC 2022

As far as I know freeIPA and AD do similar things to different entities.
Windows hosts, including workstations are joined to Active Directory and
centrally managed by Microsoft tools. Cannot do that with freeIPA.
Linux servers are joined to freeIPA. This allows us to control service
access (including samba), sudo rights, ssh keys, certificates etc. from a
central location (freeIPA). AD as far as I know does not allow us to do
this for linux hosts (not without a custom schema anyway).

As I mentioned before there is a kerberos trust between freeIPA and AD. So
AD users on their windows workstations can access services hosted on linux
hosts in a different kerberos realm. Most users are like this, very few
users are in freeIPA domain.

Samba is run in standalone mode because I cannot join it to AD domain with
the hostname it has. That DNS domain has a diffrent kerberos realm mapped
and it just would not work. Also there does not seem to be an easy way
having samba join freeIPA domain.

Kontakt Rowland Penny via samba (<samba at lists.samba.org>) kirjutas
kuupäeval N, 3. veebruar 2022 kell 15:18:

> On Thu, 2022-02-03 at 14:55 +0200, Ahti Seier via samba wrote:
> > Hello,
> >
> >   We have been running samba in standalone mode (security = user)
> > with
> > kerberos authentication.
> >   So I was wondering. What benefits will I actually get from running
> > winbind instead of  having NSS on the hosts resolve users and groups?
> >
> >   Or am ai going about this a wrong way? Is there a better way to
> > authenticate AD users to a non-ad joined host?
> I do not understand why you are running Freeipa and AD, they both do
> basically the same thing, I also do not understand why you are using
> standalone servers in an AD/freeipa domain.
> The benefits you will get from turning your standalone servers into
> Unix domain members are, ACL support and NTLM fallback.
> I think we need a bit more info, why do you need to run standalone
> servers ?
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list