[Samba] Failing authentication when PAC present in kerberos service ticket

Rowland Penny rpenny at samba.org
Thu Feb 3 13:52:10 UTC 2022

On Thu, 2022-02-03 at 15:38 +0200, Ahti Seier wrote:
> As far as I know freeIPA and AD do similar things to different
> entities.
> Windows hosts, including workstations are joined to Active Directory
> and centrally managed by Microsoft tools. Cannot do that with
> freeIPA.
> Linux servers are joined to freeIPA. This allows us to control
> service access (including samba), 

> sudo rights,

I have been using sudo from AD for years, yes, you have to extend the
schema but it very easy. You can actually do something similar with
GPO's on Samba now.
>  ssh keys,

Better still, use kerberos, no keys required.

>  certificates etc. from a central location (freeIPA).

That is now either here or will be very shortly.
>  AD as far as I know does not allow us to do this for linux hosts
> (not without a custom schema anyway). 

Extending the schema isn't hard.

> As I mentioned before there is a kerberos trust between freeIPA and
> AD. So AD users on their windows workstations can access services
> hosted on linux hosts in a different kerberos realm. Most users are
> like this, very few users are in freeIPA domain.

You wouldn't need the trust if you just used Samba.

> Samba is run in standalone mode because I cannot join it to AD domain
> with the hostname it has. That DNS domain has a diffrent kerberos
> realm mapped and it just would not work. Also there does not seem to
> be an easy way having samba join freeIPA domain. 

So, your short hostname is greater than 15 characters, this isn't
really a good idea, as you seem to have found. Yes, it is hard, if not
impossible to join Samba to freeipa, this may change, but it isn't
imminent as far as I am aware.


More information about the samba mailing list