[Samba] Can windows clients get kerberos tickets from samba3 PDC?

Mon Dec 1 10:30:13 MST 2014

On Mon, 1 Dec 2014, Gaiseric Vandal wrote:

> On 12/01/14 11:17, Tiit Kaeeli wrote:
>>> Is it possible for windows clients to authenticate against kerberos and 
>>> receive tickets from a Samba3 PDC, when kerberos server is MIT kerberos 
>>> running on a Linux server, not a Windows AD server?
>>> 
>>> https://help.ubuntu.com/community/Samba/Kerberos
>>> Suggests that this may be possible and I can succesfully authenticate with 
>>> smbclient -k. But windows users do not receive tickets on domain login. At 
>>> least kerbtray from Windows server 2003 resource kit tools do not show 
>>> them on windows7 client.
>>> 
>>> I have not found a definitive statement that it is not possible, nor any 
>>> more detailed documentation on how this can be done.
>>> 
>>> So can this be done or not?
>>> 
>>> Where to find documentation?
>>> How to get more detailed logging and find out why it is not working?
>>> 
>>> Can this be done with samba4 with external MIT kerberos?
>>> 
>>> Thanks.
>>> 
>> 
>> Any ideas?
>> 
>> 
>
>
> Samba 3.x is a "classic" (NT4-type ) domain using NTLM authentication.  I 
> would suspect that using "smbclient -k"  would only be useful if you were NOT 
> trying to configure your Linux machine as part of a Windows domain.      For 
> Windows, the kerberos auth is only useful if you don't have a windows domain 
> but you are trying to centralize authentication.   I believe in this case you 
> still have to define the users on the windows machine anyway.
>
>
> What is the goal?   To have a single password for linux and windows users?

The goal is to get kerberos tickets to windows clients, so that they can 
be used to SSO to other services.

>
> I have been tinkering with MIT  kerberos for unix clients. Currently I user 
> Samba 3.x for windows users.  Samba the same LDAP backend that is used for 
> unix clients.      Each user LDAP entry has the user name, unix password and 
> samba password.      Since Samba has a password sync script, unix  users 
> change passwords with the "smbpasswd" command (not passwd) so that the 
> windows and unix passwords stay in sync.  I can also configure client 
> machines to use kerberos passwords, although the kerberos passwords currently 
> do not sync with the LDAP unix and samba passwords.

Same here. Plus I got kerberos passwords in sync with others using
http://labs.opinsys.com/blog/2010/05/05/smbkrb5pwd-password-syncing-for-openldap-mit-kerberos-and-samba/

>
>
> As far as I can tell, Samba 4 does not support MIT kerberos. At this point, I 
> am serious considering migrating my domain controllers to Windows 2008/2012 
> while keeping Samba for the file servers.    Either way, I have to abandon 
> the MIT kerberos server.

Yes, currently samba 4 does not support MIT kerberos. It is in
https://wiki.samba.org/index.php/Roadmap#Active_Directory_Server
Is there any estimate for it?

One more bit is unclear for me. If I install Samba4, it will come with a 
dedicated built-in Heimdal Kerberos server. Can this kerberos server be 
used directly by Linux kerberos clients, should all access be done through 
samba, or must there be a separate kerberos server for Linux clients? If 
the last is true, how should the two kerberos servers be kept in sync?

For LDAP, it seems to be the last option (Two ldap servers, 
synchronization is managed by PAM). Is it so?

We do not have and will not have any windows servers. So the options are:

1. Find a way to get kerberos tickets to windows clients using Samba3
2. Drop MIT kerberos and go for Samba4 and Heimdal kerberos
3. Use Heimdal kerberos for Samba4 and MIT kerberos for Linux
4. Wait until Samba4 MIT kerberos support is ready.