Samba and Kerberos

Andrew Bartlett abartlet at samba.org
Fri Jan 3 01:38:00 GMT 2003 

On Fri, 2003-01-03 at 11:39, Steve Langasek wrote:
> On Thu, Jan 02, 2003 at 06:28:48PM -0600, Kenneth Stephen wrote:
> 
> > > ADS-style Kerberos support only works when both client and server are
> > > Kerberos-aware, so such Kerberos "encrypted passwords" support would be
> > > limited to Win2K and WinXP clients.  This is a question of technical
> > > feasibility, not of implementation.
> 
> > 	Not sure what this means. If I run the Samba server on the same
> > machine as a server which understood Kerberos authentication (for example,
> > AIX 5.1 with a DCE based KDC), would that qualify? What about the
> > extra info that Microsoft stuffs into the Kerberos protocol that I've
> > heard Win client _need_? I need Samba working with a non-Microsoft KDC.
> 
> Windows *clients* don't need the extra data; it's only Windows *servers*
> that need the data -- however, note that I'm using "server" in the sense
> of "anything that provides a service", which would include a workstation
> providing login services for members of your Kerberos realm.  If your
> Samba server doesn't need to provide domain auth services for
> workstation logins, you don't need to worry about the Microsoft PAC.
> AFAIK, Samba-as-a-fileserver doesn't even *support* using the PAC yet;
> it gets its group information from other, more Unix-y sources.
> 
> As for running Samba on a server that understands Kerberos
> authentication, even that is not required; you can easily run Samba as
> your only Kerberos-enabled application on a given machine (well,
> "easily" assuming you know how to go about setting up Kerberos).

And telling Samba about that machine's keytab.  Currently Samba needs to
know the original plaintext password for the machine.

It's been on my todo for a while - a long while...

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030103/5a1f8d60/attachment.bin

More information about the samba-technical mailing list