Samba and Kerberos

[Steve Langasek]

On Thu, Jan 02, 2003 at 06:28:48PM -0600, Kenneth Stephen wrote:

> > ADS-style Kerberos support only works when both client and server are
> > Kerberos-aware, so such Kerberos "encrypted passwords" support would be
> > limited to Win2K and WinXP clients.  This is a question of technical
> > feasibility, not of implementation.

> 	Not sure what this means. If I run the Samba server on the same
> machine as a server which understood Kerberos authentication (for example,
> AIX 5.1 with a DCE based KDC), would that qualify? What about the
> extra info that Microsoft stuffs into the Kerberos protocol that I've
> heard Win client _need_? I need Samba working with a non-Microsoft KDC.

Windows *clients* don't need the extra data; it's only Windows *servers*
that need the data -- however, note that I'm using "server" in the sense
of "anything that provides a service", which would include a workstation
providing login services for members of your Kerberos realm.  If your
Samba server doesn't need to provide domain auth services for
workstation logins, you don't need to worry about the Microsoft PAC.
AFAIK, Samba-as-a-fileserver doesn't even *support* using the PAC yet;
it gets its group information from other, more Unix-y sources.

As for running Samba on a server that understands Kerberos
authentication, even that is not required; you can easily run Samba as
your only Kerberos-enabled application on a given machine (well,
"easily" assuming you know how to go about setting up Kerberos).

Cheers,
-- 
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030103/baf0bb88/attachment.bin