[Samba] Kerberos TGT support in Samba 3.0
Andrew Bartlett
abartlet at samba.org
Tue May 20 23:19:27 GMT 2003
On Wed, 2003-05-21 at 03:18, Jerome Walter wrote:
> On Tue, May 20, 2003 at 06:53:13PM +0200, "Martin v. Löwis" wrote:
> > Jerome Walter wrote:
> >
> > >I am trying to find a way to authenticate users on both Windows and unix
> > >stations against the same KDC (MIT) and it would help if Samba was able to
> > >grant access based on TGT tickets delivered to the windows client and then
> > >deliver accounting information to the stations.
> >
> > You will have to add a service principal to your kdc, probably using
> > kadmin addprinc/ktadd. I think the principial name should be
> > "host at REALM". You then need to communicate the principal's key to the
> > keytab on the SMB machine. (perhaps kadmin can do this all in one step).
>
> Just a few steps indeed.
> So, i should consider Samba 3 supports Kerberos authentication more than 2.2.x
> ;)
> One point suprised me yet. When creating principals in the KDC we used to use
> host/hostname.domain.tld at REALM as instance/principal. Should i really add a
> principal without any instance ?
>
> > Your clients then don't use their TGT to get access to Samba, but
> > instead go to the KDC which gives them a session ticket for the Samba
> > service. With that session ticket, the clients open the connection to
> > smbd, which validates the ticket based on the shared key that you had
> > created in the KDC before.
>
> Yes, of course, i messed up my explanations while trying to write good
> english and to point out my problem.
>
> Is there any specific configuration to get this working or the compilation
> --with-krb5 and the parameters realm etc ... should be enough ?
>
> By the way, the server i am trying to cahnge was the PDC. Is there any
> possibility to keep the PDC functions working while using the Kerberos
> authentication ? I am starting to test a GINA with pam to get all the
> functions working, am i wrong ? Perhaps i missed something ...
It looks like you want the Active Directory DC support that we just
don't have yet :-).
Samba 3.0 currently can't join an MIT domain, and even if it could, you
still need to make the clients get their tickets from the MIT domain - a
non-trivial task.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030520/7facb4e3/attachment.bin
More information about the samba
mailing list