Samba and Kerberos

Andrew Bartlett abartlet at
Fri Jan 3 00:12:01 GMT 2003

On Fri, 2003-01-03 at 10:50, Steve Langasek wrote:
> Hi Kenneth,
> On Thu, Jan 02, 2003 at 03:38:47PM -0600, Kenneth Stephen wrote:
> > 	I am trying to understand the state of Samba using Kerberos
> > authentication. I see from a search on the web that ADS support is now
> > available in Samba, and presumably this uses an encrypted password
> > communicated over the network rather than the behaviour that was
> > previously available via the --with-krb5 flag. If so, would it not be a
> > matter of implementation (as opposed to it being technically infeasible)
> > to make sure that --with-krb5 now works with encrypted passwords? Can
> > someone clue me in as to this please?
> ADS-style Kerberos support only works when both client and server are
> Kerberos-aware, so such Kerberos "encrypted passwords" support would be
> limited to Win2K and WinXP clients.  This is a question of technical
> feasibility, not of implementation.
> It appears that the --with-krb5 option is currently used in connection
> with exactly this feature, and that the previous plaintext Kerberos
> support has been dropped in 3.0.

It was dropped because that functionality is better implemented via
pam_krb5.  A patch to re-instate this functionality as an auth module
will probably be accepted, if people really want it...

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list