Kerberos and security=user

Mark Proehl m.proehl at
Wed May 18 13:31:42 GMT 2005

Hi Andrew,

I have tested your patch (applied against 3.0.14a) with XP (SP1 and SP2)
in a MIT and a Heimdal realm. It's working perfectly.

By setting "security = ads" and using an unpatched Samba server, 
I am able to do Kerberos authentication in an MIT realm in the same 
way. What ist the advantage of "security = user" in such an environment?

Will future Samba release include this patch?



Am Freitag 22 April 2005 16:00 schrieb Andrew Bartlett:
> Some sites have managed to run kerberos against Heimdal or MIT, and have
> windows/linux/mac clients 'play nice' with it, and it would be good if
> this did not require the admin to set Samba into 'security=ads' mode.
> This untested, and potentially unwise patch allows this.  The section
> changing the principal name we return in the negprot may not be the best
> thing to do here however.  (instead, the machine$@REALM could also be
> added to the keytab).
> Andrew Bartlett

More information about the samba-technical mailing list