Hello, I'm having some difficulty understanding the best approach to setting up a samba fileserver in our environment. We have an active directory domain (2008) that has account "stubs" that we use for security and authorization (the passwords are unknown/random). This domain has a one-way Kerberos trust to an MIT Kerberos realm that we use for authentication. The user accounts are name-mapped to the corresponding principal name in the kerberos/authentication realm. I had planned to net join the server to the active directory realm for user and group resolution, but configure PAM to use pam_krb5 for authentication instead of winbind. However, it appears to me that, by design, Samba is not able to authenticate and authorize in two different realms this way for the following reason:
"Samba always ignores PAM for authentication in the case of encrypt passwords = yes<http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#ENCRYPTPASSWORDS>" http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html Setting "encrypt passwords = no" results in the following testparm error: ERROR: in 'security=domain' mode the 'encrypt passwords' parameter must always be set to 'true'. Anyone successfully authenticating this way? Thanks for the help! -Joseph smb.conf: [global] log file = /var/log/samba/log.%m log level = auth:3 max log size = 50 security = ads netbios name = SERVERNAME realm = AD.DOMAIN.EDU<http://ad.domain.edu/> password server = dc.ad.domain.edu<http://dc.ad.domain.edu/> workgroup = AD idmap uid = 10000-5000000 idmap gid = 10000-5000000 winbind separator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes obey pam restrictions = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
