samba + w2k + kerberos + trusted realm

Love lha at
Fri Feb 28 04:26:56 GMT 2003


I got my samba server that is joined to a win2000 ad to talk to win2000
client with gssapi, where the user is from another Kerberos realm the the
ad. The patch below was needed. This requires mit kerberos 1.3 (development
branch, not released yet). The w2000 client seems to use SPNEGO with NTLM
only when there isn't a ARCFOUR key. Joining the samba server so it get a
ARCFOUR key makes that client to add krb5 to the SPNEGO mess.


- How do the kerberos tests work on any machine, it get the libs in the
wrong order, the configure script ends up generateing a config.status with
'-lkrb5 -lgssapi_krb5' in it. That wont work. Have you thought about using
`krb5-config --libs gssapi` ? Then heimdal would work too, well at least
that test. There are more work to get it working, but that shouldn't be too
hard (please, no krb5 api flame wars).

- Using a keytab file would solve the problem below. Using /etc/krb5.keytab
is bad idea, how about a own keytab for samba ? Doing hoops of strace stuff
seems, well, strange.

- It would be cool if samba would look up the Alternate name in ad/ldap to
  match foreign realm users to local realm users.


--- source/libads/kerberos_verify.c.old	2002-11-27 03:54:19.000000000 +0100
+++ source/libads/kerberos_verify.c	2003-02-28 04:44:34.000000000 +0100
@@ -101,7 +101,7 @@
-	krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5);
+	krb5_use_enctype(context, &eblock, ENCTYPE_ARCFOUR_HMAC);
 	ret = krb5_string_to_key(context, &eblock, key, &password, &salt);
 	if (ret) {

More information about the samba-technical mailing list