On Пят, 04 кра 2025, Данила Скачедубов via FreeIPA-users wrote:
Hello, Is it possible to create a Samba network share on an FreeIPA domain controller that would allow domain users to authenticate via their Kerberos tickets without running ipa-adtrust-install? Since I don't plan to establish any trust relationship with Windows domains: 1. Can winbind properly map user SIDs to UIDs without the AD trust components installed? 2. Or is there an alternative way to configure smb.conf to make this work with pure FreeIPA/Kerberos authentication? My understanding is that ipa-adtrust-install generates the necessary ID mapping structures for Samba, but I'm wondering if there's a lighter-weight solution when Windows trusts aren't required.
No, it isn't. Domain network has specific assumptions and there is one important: there must be a domain controller configured. All `ipa-adtrust-install` does is to configure that domain controller. Regardless whether you want to use 'AD trust' or not, you have to have a domain controller if you want to use domain-wide authentication. `ipa-adtrust-install` simply configures Samba DC to use a special mode that is valid for IPA domain controller. This is needed because other supported Samba modes cannot be used with FreeIPA domain controller (we do not implement Active Directory DC, so we cannot use ADDC mode). It is a hybrid mode described in https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-controller.html While Samba is configured in a standalone mode, it is typically not expected to work with Kerberos in that mode. We had to fix a lot of issues in Samba code to make it possible to use Kerberos with local KDC (when Samba is not enrolled into any domain). -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
