On Thu, 2012-11-01 at 15:00 +0000, Rafferty, Joseph wrote: > Hello, > > I'm having some difficulty understanding the best approach to setting up a > samba fileserver in our environment. We have an active directory domain > (2008) that has account "stubs" that we use for security and authorization > (the passwords are unknown/random). This domain has a one-way Kerberos trust > to an MIT Kerberos realm that we use for authentication. The user accounts > are name-mapped to the corresponding principal name in the > kerberos/authentication realm. I had planned to net join the server to the > active directory realm for user and group resolution, but configure PAM to > use pam_krb5 for authentication instead of winbind. However, it appears to me > that, by design, Samba is not able to authenticate and authorize in two > different realms this way for the following reason: > > "Samba always ignores PAM for authentication in the case of encrypt passwords > = > yes<http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#ENCRYPTPASSWORDS>" > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html > > Setting "encrypt passwords = no" results in the following testparm error: > ERROR: in 'security=domain' mode the 'encrypt passwords' parameter must > always be set to 'true'. > > Anyone successfully authenticating this way? > > Thanks for the help! > -Joseph > > > > smb.conf: > > [global] > log file = /var/log/samba/log.%m > log level = auth:3 > max log size = 50 > security = ads > netbios name = SERVERNAME > realm = AD.DOMAIN.EDU<http://ad.domain.edu/> > password server = dc.ad.domain.edu<http://dc.ad.domain.edu/> > workgroup = AD > idmap uid = 10000-5000000 > idmap gid = 10000-5000000 > winbind separator = + > winbind enum users = no > winbind enum groups = no > winbind use default domain = yes > obey pam restrictions = yes
What error do you get when you use *just* what you have above? You should run winbind, and accept kerberos logins from your clients. We need to be joined to the AD domain. As long as the tickets contain a PAC, we really don't mind where they came from. Don't try and involve PAM or turn off encrypted passwords, because we never get a plaintext password from modern clients anyway. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
