Kerberos and security=user
diamond at nonado.net
Fri Apr 22 16:08:40 GMT 2005
Andrew Bartlett wrote:
> Some sites have managed to run kerberos against Heimdal or MIT, and have
> windows/linux/mac clients 'play nice' with it, and it would be good if
> this did not require the admin to set Samba into 'security=ads' mode.
> This untested, and potentially unwise patch allows this. The section
> changing the principal name we return in the negprot may not be the best
> thing to do here however. (instead, the machine$@REALM could also be
> added to the keytab).
I've done some basic testing with this patch, and for winxp (sp1 and
sp2), it works perfectly. Windows asks the tgt for a ticket for
cifs/machine at REALM, and all is well. Smbclient is a bit more naive tho,
and looks for a ticket for machine$@REALM. It would be nice if it
handled things the same way as xp. I haven't got win2k around here to
test this patch with, so i can only speculate that it will also work fine.
More information about the samba-technical