On 06/17/2011 02:00 AM, Andrew Bartlett wrote:
On Tue, 2011-06-14 at 12:49 -0400, Mauricio Tavares wrote:
Quick and easy question: I have a network which already has its
own kerberos + ldap servers running and I want to setup a samba4 box
as AD. So, from conversations here and on irc, the best thing to do is
to setup the samba4's built-in kerberos to do cross-realm
authentication with the other kerberos server. Now, how would those
crossed users look like in samba? Or, how would they be created in the
samba4 ldap so they would have, among other things, a local home
directory (or wherever the homedir; it just have to be in a place
samba can find, know what to do with it, and do it) which would the be
exported?
I realise it's not a great answer, but currently we don't support
cross-realm trusts. We have some of the parts (they are being used for
IPA), but I would not make any assumptions about it being fully working
for what you need. In particular, for the Microsoft modal, we should
find the 'local' account for the principal and make up a PAC, none of
which we do.
Oh lovely. So I guess Samba 4 is out of question for me unless I want
to move all of our authentication/authorization stuff that works fine
with out Linux, Solaris, and OSX systems to Samba 4. And that is just
not happening for many reasons.
This was the entire reason I went with it: I was hoping that somehow I
would be able to sync it with our established kerberos/ldap setup. All I
needed was just the kerberos part to work across realms. I should have
read this reply a week ago.
As to extending the Samba4 schema, this is a great option, except that a
number of users have reported various issues here, which we are yet to
resolve.
Andrew Bartlett
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
