Kerberos 4 and Samba as a NT PDC?

Love lha at
Thu Aug 3 04:36:55 GMT 2000

Steve Langasek <vorlon at> writes:

> 2) use NTLM hashes in your KDC instead of plaintext passwords.  This will
> cost you interoperability with existing Unix programs deployed on your
> network.

Heimdal [1] supports (with 0.3a) des-cbc-md4 keys, and since Microsoft is
the one how created that keytype, it happens to be the same as NT hashes.

I have successfully exchanged cross-keys between a W2K domain and a Heimdal
realm. Now I can enter my Kerberos 5 password belonging to the Heimdal
realm and be log into the W2K domain a user there. One password for each
user, regardless of platform.

Now there should be possible to make samba read out the NT hash out of the
heimdal database (though the hdb interface) instead of the `smbpasswd'

The only concern I have is runnig a smbd on my kerberos server. I don't
trust it. So my question is, how much do one really need to run to be a
keyserver (KS as described in the CIFS papers) ?



More information about the samba-technical mailing list