[Samba] Confusion about libpam-krb5 and libpam-winbind
Rowland Penny
rpenny at samba.org
Thu Feb 17 10:35:10 UTC 2022
On Thu, 2022-02-17 at 11:12 +0100, Matthias Kühne | Ellerhold AG via
samba wrote:
> Hello samba-community,
>
> on our Debian Domain members (Samba 4.14) we cant change the password
> of
> local (non-AD) users, because it asks for the "Current kerberos
> password".
You shouldn't really have many local users, just enough to fix things
if something goes wrong and you cannot contact AD.
>
> Ive tracked it down to the libpam-krb5. I can up the "minimum_uid"
> from
> 1000 to the value of my smb.conf (10000) and the problem is gone. Is
> this the correct way to fix this problem?
Yes, Setting every occurrence of '1000' in /etc/pam.d/common-* to the
DOMAIN lower range is the correct way to fix this.
>
>
> That leads me to a second question: What we need on these servers
> are
> SSH and SMB access via users from the domain. Both are using username
> +
> password (e. g. MY-DOMAIN\matthias.kuehne and a PW). As far as I
> understand it this is handled by libpam-winbind, correct?
You can turn off the 'MY-DOMAIN\' by setting 'winbind use default
domain = yes', provided you are using the 'ad' or 'rid' winbind idmap
backend with one domain.
This is handled by libpam-winbind & libnss-winbind
>
> libpam-krb5 would enable me to use kerberos tickets to access the
> file
> shares (and possibly ssh?).
Yes, and definitely ssh
> If I dont need that - can I uninstall it or
> does any background system of a samba domain member use this pam-
> module?
No and yes
> Same question for a samba ad-dc!
You only need to set up PAM and the winbind links on a DC if you
require your users to log into the DC directly (something that Samba
does not recommend)
Rowland
More information about the samba
mailing list