With a Kerberos config file...
[realms]
DOMAIN.COM = {
kdc = dc1.domain.com
admin_server = dc1.domain.com
}
...it is possible for Linux to talk to Active Directory for password validation without necessarily being an AD domain member:
$ kinit jdoe
Password for jdoe@DOMAIN.COM:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jdoe@DOMAIN.COM
Valid starting Expires Service principal
01/12/15 15:36:16 01/13/15 01:36:25 krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 01/19/15 15:36:16
At this point, you can use PAM to define local Linux users in /etc/passwd, yet have their TTY sessions authenticated via Active Directory. Authn via krb5 is done as a per-login context:
auth sufficient pam_krb5.so use_first_pass
But if krb5 is already implemented as part of the PAM global defaults, why isn't Samba also picking it up? I see /etc/pam.d/samba does an include of the Kerberized password-auth file, but no joy when accessing an SMB volume. (Debug logs indicate a failed-to-get-SID error, which is very "you are not part of the domain".)
My underlying question is: can a similar krb5 authn centralization be done under Samba as it was for Shell, without all that extra overhead/complexity of domain membership? I need to have Samba services implemented on a group of NIS-clustered systems, but don't want to have different TDBSAM back-ends on each system leading to SMB password confusion. Using Kerberos as my authenticator would be great. However, I still want to define authorization/access via local Linux account and not open up Samba access to all domain users as would be the case with domain-join, winbind DC emulation, or full-fledged AD server.
Alternatively: is there a better centralized back-end authn option for Samba in a Linux cluster? I looked at CTDB, but it seemed to be geared towards mediating shared-storage rather than central authn with disparate volumes...
No comments:
Post a Comment