Samba + Kerberos backend - AD backend

Andrew Bartlett abartlet at
Tue Dec 16 21:51:07 GMT 2008

On Tue, 2008-12-16 at 07:55 -0800, kronda wrote:
> Thanks for the answer.
> paul kölle wrote:
> > 
> > 
> > This is the main task. No Single Sign On, no
> >> Kerberos tickets being passed between Samba client and Samba server, no
> >> client membership in any domain. If possible I would prefere to not send
> >> plain text passwords over net
> > Probably not possible. You don't have (cleartext) passwords in LDAP so 
> > none of the  challenge-response SASL mechanisms will work.
> > 
> But this means that setting up Samba with Kerberos backend is impossible to
> do without special configuration on each modern windows machine accessing
> the server (because the default is encrypted password on Windows 2000,XP),
> right? I did not want to hear that:( And I still do not see why samba can
> pass (encrypted password) authentication to AD (which is basically
> LDAP+Kerberos) and not to LDAP+Kerberos. Or am I wrong in this?

Samba passes on the NTLM challenge and response to another server
capable of understanding that combination.  AD is one example, a Samba
DC is another.  A Heimdal KDC is yet another (but nobody has ever
written the link), because it has an additional special mode that
accepts this input.  But general Kerberos is not compatible - it
requires the plaintext password to decrypt the ticket.

The reason I've been working on Samba4 for all these years is because
this isn't easy - the only way windows clients work well with Kerberos
(I don't count the 'MIT compatability mode' as working well, it requires
all users be mirrored as local users, or mirrored in AD) is with AD, or
a compatible replacement.  I'm building Samba4 as that compatible
replacement.  Feel free to try it out. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list