More Kerberos-related questions

Andrew Bartlett abartlet at samba.org
Wed Jan 8 22:02:01 GMT 2003 

On Thu, 2003-01-09 at 08:40, Kenneth Stephen wrote:
> 
> 
> On Thu, 9 Jan 2003, Luke Howard wrote:
> 
> >
> > >	My ultimate goal is to get access to a DFS (an IBM DCE
> > >application) filesystem on a Linux machine. I am dreaming of the following
> > >solution : (1) Samba server which understands Kerberos credentials and
> > >which serves up the DFS filesystem as a share(2) a Linux mount of the
> > >smbfs share and with the Linux server set up to understand Kerberos
> > >credentials. The question here would be if the smbfs client side would
> > >understand the kerberos credentials of the user?
> >
> > I think you could do this using delegation.
> >
> Luke,
> 
> 	I'm afraid you'll have to explain it a bit more. Searching the web
> for "samba" or "smbfs" in conjunction with "delegation" doesnt turn up
> anything but false positives. I assume you mean that I somehow have to get
> the authentication piece on the Linux client side for smbfs delegated to
> something else (the Samba server side? Isnt that the way things normally
> happen?).

If you were to connect to Samba using the CIFS VFS client (when it gets
kerberos support) or smbmount from Samba 3.0 (slightly modified), you
can pass a kerberos ticket to the server.

The server can be 'trusted for delegation' by the KDC, which means that
it can take the ticket passed from the client, and use it in the
client's place. (In this case to acquire access to DCE resources). 

I'm not sure why you would want to do this however, when you could just
mount the DFS stuff onto Linux (I assume there is a client...).

This would be more interesting with Win2k clients doing kerberos
authentication and getting access to previously unix-only resources.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030108/3106b6dd/attachment.bin

More information about the samba-technical mailing list