[Samba] Failing authentication when PAC present in kerberos service ticket
Rowland Penny
rpenny at samba.org
Thu Feb 3 13:52:10 UTC 2022
On Thu, 2022-02-03 at 15:38 +0200, Ahti Seier wrote:
> As far as I know freeIPA and AD do similar things to different
> entities.
> Windows hosts, including workstations are joined to Active Directory
> and centrally managed by Microsoft tools. Cannot do that with
> freeIPA.
> Linux servers are joined to freeIPA. This allows us to control
> service access (including samba),
> sudo rights,
I have been using sudo from AD for years, yes, you have to extend the
schema but it very easy. You can actually do something similar with
GPO's on Samba now.
> ssh keys,
Better still, use kerberos, no keys required.
> certificates etc. from a central location (freeIPA).
That is now either here or will be very shortly.
> AD as far as I know does not allow us to do this for linux hosts
> (not without a custom schema anyway).
Extending the schema isn't hard.
>
> As I mentioned before there is a kerberos trust between freeIPA and
> AD. So AD users on their windows workstations can access services
> hosted on linux hosts in a different kerberos realm. Most users are
> like this, very few users are in freeIPA domain.
You wouldn't need the trust if you just used Samba.
>
> Samba is run in standalone mode because I cannot join it to AD domain
> with the hostname it has. That DNS domain has a diffrent kerberos
> realm mapped and it just would not work. Also there does not seem to
> be an easy way having samba join freeIPA domain.
So, your short hostname is greater than 15 characters, this isn't
really a good idea, as you seem to have found. Yes, it is hard, if not
impossible to join Samba to freeipa, this may change, but it isn't
imminent as far as I am aware.
Rowland
More information about the samba
mailing list