[Samba] Samba 4.2.15 and MIT Kerberos External Authentication
igor noredinoski
igor.noredinoski at gmail.com
Wed Apr 9 13:49:32 UTC 2025
>>* The local on
*>>* site domain is a realm that has a list of usernames and samba
*>>* accounts but authentication is off loaded onto an external realm and
*>>* there is a one way trust relationship where the local samba server
*>>* trusts the external realm -- all that is required is that there is a
*>>* local username and username map on local samba server.
*
> Sorry, but if you are running Samba as an AD DC, it must be the point of
> truth, it must hold all the AD records and your AD domain clients must
> use it for authentication.
Thank you. In this case what I am attempting to do is use the experimental
features of the server where the point of truth is the Samba ADC for the
local domain but the password authentication for users is pulled from an
external Kerberos realm. What we are trying to do is integrate into the
corporate Kerberos environment and will later try to setup MFA from it.
The end goal is, sysadmin creates a new user account , username only, that
is created and approved on local Samba ADC. When the user logs in, they use
their corporate credentials and then also use an MFA device such as a
smartphone, or what not, to login on the workstation. (The MFA integration
I will tackle later).
At present, kinit works for foo at DEPARTMENT.LOCAL and foo at COMPANY.COM fine
from command line.
More information about the samba
mailing list