Activedirectory Kerberos Only

[proxmox_web]

Having only port 88 enable to Active Directory, authentication fails, although user is enabled in /etc/pve/user.cfg

Which is wrong?
I expected PVE not to try LDAP!

 

[proxmox_web]

We have in /etc/pve/user.cfg

user:mistert@DIR.LOCAL:1:0::::::
user:mistern@DIR.LOCAL:1:0::::::
user:root@pam:1:0::::::


group:ADUser:mistert@DIR.LOCAL,mistern@DIR.LOCAL::


acl:1:/:@ADUser:Administrator:

And in /etc/pve/domain.cfg

ad: DIR.LOCAL
        domain dir.local
        server1 192.168.66.99
        default 0
        secure 0

 

[proxmox_web]

Which port is needed, we only have 88 open.

 

[SINOS]

As far as I can tell, the Active Directory Authentication uses LDAP (like most other Softwares do, too) instead of Kerberos.
The difference between LDAP & AD backend is mostly that MS AD uses some different attributes like sAMAccountName for the username, otherwise there should be no noteworthy difference.

You need the LDAP Ports open for authentication to work: 389 (unencrypted) or 636 (TLS encrypted).
Using encrypted LDAP (LDAPS) is recommended, because LDAP transmits the users password unencrypted and without transport encryption (TLS) your credentials could get sniffed.

 

[danielb]

This is mostly correct, except that you can use StartTLS on port 389 ;-)