PAC Sucess!
mschwartz at dcscorp.net
mschwartz at dcscorp.net
Tue Aug 30 12:06:02 GMT 2005
A major Kudos is in order! Outstanding news on the PAC!
I would really like to do some testing outside of the basic file system.
At this point, could someone send me their config files for Samba4 so
I can test domain joins/logons and other things? I attempted to
"guess" some of the config setting but no dice. Do I need to configure
Heimdal separately? Any help provided will allow me to be of some use.
Thanks!
Matt
Andrew Bartlett <abartlet at samba.org> wrote on 08/30/2005, 01:02:22 PM:
> While a few of you have already noticed, I realised that I had not yet
> announced our success with the PAC.
>
> As many of you know, Samba4 has an implementation of the Active
> Directory logon protocols, and we demonstrated WinXP performing a domain
> join, and domain logon many months ago.
>
> Until recenly, we were in a situation of 'one step forward, two steps
> back', as we have enabled a KDC in Samba4, and are using it quite
> successfully. However, the KDC we are operating is still unable to
> generate a PAC acceptable to the windows client, which causes the
> windows domain logon to fail. That's a real pity, because that login
> was the pride of the SambaXP show - it really demonstrates how far we
> have come.
>
> As we moved on, we have added kerberos to our collection of implemented
> protocols, incorporating modified snapshots of Heimdal kerberos into the
> source. However, this was one of those 'two steps forward, one step
> back' moments, as we were forced to implement the PAC, to satisfy the
> domain logon.
>
> Anyway, Micrsoft's proprietary extension to Kerberos, the PAC is a
> signed and validated data structure that includes information on the
> user and their group membership. As such, it is mandatory for the
> domain logon sequence.
>
> For the last 12 months, I have been working on and off, along with
> Stefan Metzmacher and others on the Samba and Heimdal teams, to built a
> KDC that a Windows client will respect as one of it's own. Slowly, we
> have built backends, hacks, and patches for the KDC we derived from the
> Heimdal Kerberos.
>
> As the months have gone by, we have got closer and closer, and last
> Friday we finally cracked it: I arranged to spend a Thursday with
> Tridge, to show him the ropes, and to see what progress we could make,
> and we continued to work on the problem on Friday. Tridge made the
> first real headway by narrowing the problem to just kerberos (by using
> proxies and an account database obtained from Win2k3 with samsync).
>
> As the day progressed tridge and I attacked just the kerberos
> differences. We even had Samba4 issue a service ticket from an AS-REQ
> issued by Win2k3. This allowed us to use a 'real PAC' in a Samba4
> ticket (and allowed us to narrow the differences further).
>
> Anyway, the long and short of it is that we can now generate a PAC fully
> acceptable to the windows workstation!
>
> In going so far, I do have to thank Stefan Metzmacher, Andrew Tridgell
> and Love Hörnquist Åstrand, because without their efforts, this simply
> would not have been possible!
>
> To try this yourselves, set:
> gensec:gssapi_krb5=yes
>
> in your Samba4 smb.conf, follow the HOWTO in Samba4 checkout.
>
> Andrew Bartlett
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Samba Developer, SuSE Labs, Novell Inc. http://suse.de
> Authentication Developer, Samba Team http://samba.org
> Student Network Administrator, Hawker College http://hawkerc.net
More information about the samba-technical
mailing list