Status of Kerberos Support across Samba versions

David Lindner lindner at castle.zk3.dec.com
Fri May 5 19:52:34 GMT 2000



> So, what would not using the PAC implicate for Samba? Well, you wouldn't
> know what NT groups the ticket had permissions for. If you're willing to
> live with a loss of flexibility, you could do a name-based lookup (against
> the ActiveDirectory, say) to get the groups.

And this is trivial to do via LDAP. Further, you may not always have 
the PAC data available to you, as that only shows up when you are
doing a kerberos based auth (you may still get ntlm auth reqs).

If a unix user does a kinit type operation (whether this is done
automatically when the user logged in, or whatever), that tgt obtained
from the w2k kdc contains all the lovely secret pak data, and its
on the unix box. Whoopy do. For unix auth, and for Samba auth that
unix identity is the important part, because who I am on unix 
determines what I have access to. I can still hand that off to
other windows services that might care about that pac data, but
on Unix that pac data is opaque data that I don't care about.

The other time you'll get that pak data is via the (help me out here)
smb tree_connect which does the spnego negotiations. Assuming Samba
actually implements this and responds that it wants to do a gss auth,
you'll receive that pac data.

Dave





More information about the samba-technical mailing list