winbind use krb5 enterprise principals
winbindd is able to get kerberos tickets for pam_winbind with krb5_auth or wbinfo -K/--krb5auth=.
winbindd (at least on a domain member) is never be able to have a complete picture of the trust topology (which is managed by the DCs). There might be uPNSuffixes and msDS-SPNSuffixes values, which don't belong to any AD domain at all.
With no winbindd don't even get an incomplete picture of the topology.
It is not really required to know about the trust topology. We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM) and use enterprise principals e.g. [email protected]@PRIMARY.A.EXAMPLE.COM and follow the WRONG_REALM referrals in order to find the correct DC. The final principal might be [email protected].
With yes winbindd enterprise principals will be used.
Example: yes
Supported on: At least Microsoft Windows 7 or Windows Server 2008 family
winbind use krb5 enterprise principals| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Samba\smb_conf\winbind use krb5 enterprise principals |
| Value Name | winbind use krb5 enterprise principals |
| Value Type | REG_DWORD |
| Default Value | 0 |
| True Value | 1 |
| False Value | 0 |
samba.admx
- Samba
- smb.conf
- abort shutdown script
- add group script
- additional dns hostnames
- add machine script
- addport command
- addprinter command
- add share command
- add user script
- add user to group script
- afs token lifetime
- afs username map
- aio max threads
- algorithmic rid base
- allow dcerpc auth level connect
- allow dns updates
- allow insecure wide links
- allow nt4 crypto
- allow trusted domains
- allow unsafe cluster upgrade
- apply group policies
- async smb echo handler
- auth event notification
- auto services
- binddns dir
- bind interfaces only
- browse list
- cache directory
- change notify
- change share command
- check password script
- cldap port
- client ipc max protocol
- client ipc min protocol
- client ipc signing
- client lanman auth
- client ldap sasl wrapping
- client max protocol
- client min protocol
- client NTLMv2 auth
- client plaintext auth
- client schannel
- client signing
- client use spnego
- client use spnego principal
- cluster addresses
- clustering
- config backend
- config file
- create krb5 conf
- ctdbd socket
- ctdb locktime warn threshold
- ctdb timeout
- cups connection timeout
- cups encrypt
- cups server
- dcerpc endpoint servers
- deadtime
- debug class
- debug encryption
- debug hires timestamp
- debug pid
- debug prefix timestamp
- debug uid
- dedicated keytab file
- default service
- defer sharing violations
- delete group script
- deleteprinter command
- delete share command
- delete user from group script
- delete user script
- dgram port
- disable netbios
- disable spoolss
- dns forwarder
- dns proxy
- dns update command
- dns zone scavenging
- domain logons
- domain master
- dos charset
- dsdb event notification
- dsdb group change notification
- dsdb password event notification
- elasticsearch:mappings
- enable asu support
- enable core files
- enable privileges
- enable spoolss
- encrypt passwords
- enhanced browsing
- enumports command
- eventlog list
- fss: prune stale
- fss: sequence timeout
- get quota command
- getwd cache
- gpo update command
- guest account
- homedir map
- host msdfs
- hostname lookups
- idmap backend
- idmap cache time
- idmap gid
- idmap negative cache time
- idmap uid
- include system krb5 conf
- init logon delay
- init logon delayed hosts
- interfaces
- iprint server
- keepalive
- kerberos encryption types
- kerberos method
- kernel change notify
- kpasswd port
- krb5 port
- lanman auth
- large readwrite
- ldap admin dn
- ldap connection timeout
- ldap debug level
- ldap debug threshold
- ldap delete dn
- ldap deref
- ldap follow referral
- ldap group suffix
- ldap idmap suffix
- ldap machine suffix
- ldap max anonymous request size
- ldap max authenticated request size
- ldap max search request size
- ldap page size
- ldap passwd sync
- ldap replication sleep
- ldapsam:editposix
- ldapsam:trusted
- ldap server require strong auth
- ldap ssl
- ldap ssl ads
- ldap suffix
- ldap timeout
- ldap user suffix
- lm announce
- lm interval
- load printers
- local master
- lock directory
- lock spin time
- log file
- logging
- log level
- log nt token command
- logon drive
- logon home
- logon path
- logon script
- log writeable files on exit
- lpq cache time
- lsa over netlogon
- machine password timeout
- mangle prefix
- mangling method
- map to guest
- max disk size
- max log size
- max mux
- max open files
- max smbd processes
- max stat cache size
- max ttl
- max wins ttl
- max xmit
- mdns name
- message command
- min receivefile size
- min wins ttl
- mit kdc command
- multicast dns register
- name cache timeout
- name resolve order
- nbt client socket address
- nbtd:wins_prepend1Bto1Cqueries
- nbtd:wins_randomize1Clist_mask
- nbtd:wins_wins_randomize1Clist
- nbt port
- ncalrpc dir
- netbios aliases
- netbios name
- netbios scope
- neutralize nt4 emulation
- NIS homedir
- nmbd bind explicit broadcast
- nsupdate command
- ntlm auth
- nt pipe support
- ntp signd socket directory
- nt status support
- null passwords
- obey pam restrictions
- old password allowed period
- oplock break wait time
- os2 driver map
- os level
- pam password change
- panic action
- passdb backend
- passdb expand explicit
- passwd chat
- passwd chat debug
- passwd chat timeout
- passwd program
- password hash gpg key ids
- password hash userPassword schemes
- password server
- perfcount module
- pid directory
- preferred master
- prefork backoff increment
- prefork children
- prefork maximum backoff
- preload modules
- printcap cache time
- printcap name
- private dir
- raw NTLMv2 auth
- read raw
- realm
- registry shares
- reject md5 clients
- reject md5 servers
- remote announce
- remote browse sync
- rename user script
- require strong key
- reset on zero vc
- restrict anonymous
- root directory
- rpc big endian
- rpc server dynamic port range
- rpc server port
- rpc_daemon:DAEMON
- rpc_server:SERVER
- samba kcc command
- security
- server max protocol
- server min protocol
- server multi channel support
- server role
- server schannel
- server services
- server signing
- server string
- set primary group script
- set quota command
- share:fake_fscaps
- share backend
- show add printer wizard
- shutdown script
- smb2 disable lock sequence checking
- smb2 disable oplock break retry
- smb2 leases
- smb2 max credits
- smb2 max read
- smb2 max trans
- smb2 max write
- smbd profiling level
- smb passwd file
- smb ports
- socket options
- spn update command
- spoolss: architecture
- spoolss: os_build
- spoolss: os_major
- spoolss: os_minor
- spoolss_client: os_build
- spoolss_client: os_major
- spoolss_client: os_minor
- stat cache
- state directory
- svcctl list
- syslog
- syslog only
- template homedir
- template shell
- time server
- timestamp logs
- tls cafile
- tls certfile
- tls crlfile
- tls dh params file
- tls enabled
- tls keyfile
- tls priority
- tls verify peer
- unicode
- unix charset
- unix extensions
- unix password sync
- use mmap
- username level
- username map
- username map cache time
- username map script
- usershare allow guests
- usershare max shares
- usershare owner only
- usershare path
- usershare prefix allow list
- usershare prefix deny list
- usershare template share
- utmp
- utmp directory
- winbind:ignore domains
- winbind cache time
- winbindd socket directory
- winbind enum groups
- winbind enum users
- winbind expand groups
- winbind max clients
- winbind max domain connections
- winbind nested groups
- winbind normalize names
- winbind nss info
- winbind offline logon
- winbind reconnect delay
- winbind refresh tickets
- winbind request timeout
- winbind rpc only
- winbind scan trusted domains
- winbind sealed pipes
- winbind separator
- winbind use default domain
- winbind use krb5 enterprise principals
- winsdb:dbnosync
- winsdb:local_owner
- wins hook
- wins proxy
- wins server
- wins support
- workgroup
- wreplsrv:periodic_interval
- wreplsrv:propagate name releases
- wreplsrv:scavenging_interval
- wreplsrv:tombstone_extra_timeout
- wreplsrv:tombstone_interval
- wreplsrv:tombstone_timeout
- wreplsrv:verify_interval
- write raw
- wtmp directory
- Unix Settings
- Messages
- Scripts
- Sudo Rights
- smb.conf