Kerberos and Samba
Gémes Géza
geza at kzsdabas.sulinet.hu
Tue Apr 13 08:03:39 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
|>___________ _____________ _____________
|>| | | | | |
|>| Windows |--Kerberos-->| Samba |----------->| AFS |
|>| client | auth | server | | cel |
|>|_________| |___________| |___________|
|>~ ^
|>~ |
|>~ |
|>~ |
|>~ |
|>~ |
|>_____Ç______
|>| |
|>| AD |
|>| server |
|>|__________|
|
|
| No. This is the ideal world that would not require a cludge as large
| as --fake-kaserver. (In thoery, a proxied/impersonation ticket would
work)
|
|
|>But what I was thinking about would be:
|>
|>___________ _____________ _____________
|>| | | | | Coda |
|>| Windows |----NTLM---->| Samba |----------->| or |
|>| client | auth | PDC | | AFS |
|>|_________| |_LDAP back_| |____cel____|
|> ^
|> |
|> | getting ticket
|> | for
|> | Kerberos unaware clients
|> ______Ç______
|> | |
|> | Heimdal |
|> | current |
|> |_LDAP back_|
|>
|
|
| This is what the fake-kaserver does, except that it does not need to
| access the user's passwords, it only needs to access the AFS server's
| password (and can spoof tickets from there).
|
| Ask volker for the fine details.
|
| Andrew Bartlett
Ok then my question would be:
with fake-kaserver can I get a kerberos ticket (not just AFS token), for
the runing smbd process (smbd would kinit using the connected users
NTPassword).
My goal is to experiment with a Samba+Coda setup, which could serve
Windows+UNIX hosts (maybe some Coda LDAP integration, common userspace,
maybe some kind of nested groups (Coda already uses them))
Thanks
Geza
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAe57a/PxuIn+i1pIRAtg+AKCGvIjNp20kloqTc5fvaJ1ma8LfXgCeIfO8
P/p1LpNMJmB3zNG0td5j9MI=
=INaV
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list