Samba and Kerberos

Steve Langasek vorlon at
Fri Jan 3 16:20:00 GMT 2003

On Fri, Jan 03, 2003 at 10:05:40AM -0600, Kenneth Stephen wrote:

> On Thu, 2 Jan 2003, Steve Langasek wrote:

>> On Thu, Jan 02, 2003 at 06:28:48PM -0600, Kenneth Stephen wrote:

>>>> ADS-style Kerberos support only works when both client and server are
>>>> Kerberos-aware, so such Kerberos "encrypted passwords" support would be
>>>> limited to Win2K and WinXP clients.  This is a question of technical
>>>> feasibility, not of implementation.

> 	I missed asking about this point before : why is it a question of
> technical feasibility? If the Samba team has reverse-engineered (or
> engineered) a solution to a Win KDC and Win client using Kerberos, why
> couldnt the same principles be applied to making it work with a non-MS
> KDC?

It can be made to work with a non-MS KDC (with effort), but it can't be
made to work with SMB clients which are not Kerberos-enabled.  As long as
you're only expecting this to work with WinXP and Win2K clients, it's
possible.  Older versions of Windows can't be made to send Kerberos
tickets as their authentication information, so with such clients you
have to choose between plaintext auth and the older, non-Kerberized
encrypted password auth.

>> Windows *clients* don't need the extra data; it's only Windows *servers*
>> that need the data -- however, note that I'm using "server" in the sense
>> of "anything that provides a service", which would include a workstation
>> providing login services for members of your Kerberos realm.  If your
>> Samba server doesn't need to provide domain auth services for
>> workstation logins, you don't need to worry about the Microsoft PAC.
>> AFAIK, Samba-as-a-fileserver doesn't even *support* using the PAC yet;
>> it gets its group information from other, more Unix-y sources.

> 	So - if I login to a WinNT/2000 machine with a local id, and map a
> share with a (Kerberos) userid and password with Samba authenticating
> against a non-MS KDC, it should work - correct?

Yes.  The best way to achieve this on a large scale is probably to set up
an Active Directory realm for your workstations, create a trust
relationship between that realm and your non-MS Kerberos realm, and let
Samba map the Active Directory principals to local uids.

>> As for running Samba on a server that understands Kerberos
>> authentication, even that is not required; you can easily run Samba as
>> your only Kerberos-enabled application on a given machine (well,
>> "easily" assuming you know how to go about setting up Kerberos).

> 	I'm not worried about the Kerberos side. I'm not proficient with
> that, but I can get help for Kerberos configuration. But I dont understand
> your comment : "even that is not required". What is the "that" you are
> referring to?

It is not required for the server to understand Kerberos authentication
-- only Samba itself needs to understand Kerberos.

> PS. What exactly is a postmodern programmer?

One who rejects established, absolutist schools of thought about
programming. :)

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list