Heads-up for samba-4.9.0.
We no longer need an ugly hack in /etc/krb5.conf to canonicalize user names:
Quote:
Local authorization plugin for MIT Kerberos
-------------------------------------------
This plugin controls the relationship between Kerberos principals and AD
accounts through winbind. The module receives the Kerberos principal and the
local account name as inputs and can then check if they match. This can resolve
issues with canonicalized names returned by Kerberos within AD. If the user
tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
Kerberos would return ALICE as the username. Kerberos would not be able to map
'alice' to 'ALICE' in this case and auth would fail. With this plugin, account
names can be correctly mapped. This only applies to GSSAPI authentication,
not for getting the initial ticket granting ticket.
|
An /etc/krb5.conf like this works fine:
Code:
[libdefaults]
default_realm = EXAMPLE.NET
dns_lookup_realm = false
dns_lookup_kdc = true
[logging]
default = SYSLOG:NOTICE
[plugins]
localauth = {
module = winbind:winbind/winbind_krb5_localauth.so
enable_only = winbind
}
And a change in "net ads keytab add":
Quote:
'net ads keytab' changes
------------------------
net ads keytab add no longer attempts to convert the passed serviceclass
(e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD
computer object. By default just the keytab file is modified.
A new keytab subcommand 'add_update_ads' has been added to preserve the
legacy behaviour. However the new 'net ads setspn add' subcommand should
really be used instead.
net ads keytab create no longer tries to generate SPN(s) from existing
entries in a keytab file. If it is required to add Windows SPN(s) then
'net ads setspn add' should be used instead.
|
So for nfs now we use "net ads
add_update_ads nfs".
Cheers