Samba and Kerberos

Kenneth Stephen y2kmvs at ebiz.austin.ibm.com
Fri Jan 3 16:06:01 GMT 2003 

On Thu, 2 Jan 2003, Steve Langasek wrote:

> On Thu, Jan 02, 2003 at 06:28:48PM -0600, Kenneth Stephen wrote:
>
> > > ADS-style Kerberos support only works when both client and server are
> > > Kerberos-aware, so such Kerberos "encrypted passwords" support would be
> > > limited to Win2K and WinXP clients.  This is a question of technical
> > > feasibility, not of implementation.

	I missed asking about this point before : why is it a question of
technical feasibility? If the Samba team has reverse-engineered (or
engineered) a solution to a Win KDC and Win client using Kerberos, why
couldnt the same principles be applied to making it work with a non-MS
KDC?

> > > 	Not sure what this means. If I run the Samba server on the same
> > machine as a server which understood Kerberos authentication (for example,
> > AIX 5.1 with a DCE based KDC), would that qualify? What about the
> > extra info that Microsoft stuffs into the Kerberos protocol that I've
> > heard Win client _need_? I need Samba working with a non-Microsoft KDC.
>
> Windows *clients* don't need the extra data; it's only Windows *servers*
> that need the data -- however, note that I'm using "server" in the sense
> of "anything that provides a service", which would include a workstation
> providing login services for members of your Kerberos realm.  If your
> Samba server doesn't need to provide domain auth services for
> workstation logins, you don't need to worry about the Microsoft PAC.
> AFAIK, Samba-as-a-fileserver doesn't even *support* using the PAC yet;
> it gets its group information from other, more Unix-y sources.

	So - if I login to a WinNT/2000 machine with a local id, and map a
share with a (Kerberos) userid and password with Samba authenticating
against a non-MS KDC, it should work - correct?
>
> As for running Samba on a server that understands Kerberos
> authentication, even that is not required; you can easily run Samba as
> your only Kerberos-enabled application on a given machine (well,
> "easily" assuming you know how to go about setting up Kerberos).
>
	I'm not worried about the Kerberos side. I'm not proficient with
that, but I can get help for Kerberos configuration. But I dont understand
your comment : "even that is not required". What is the "that" you are
referring to?

Thanks,
Kenneth

PS. What exactly is a postmodern programmer?

More information about the samba-technical mailing list