samba and kerberos

[Manuel Sabban]

Hi,

I searched for quite some time now, and I am quite clueless of how to achieve our final configuration. I am not even sure that it is possible.

Here's the thing.

We have a a network with around 1000 computers I would say. It is mixed between windows and linux stations. Until now we had LDAP servers to authenticate against. The windows box autentications were managed by a samba3 with ldapsam backend.

Now, we would like to deploy windows 7, with an active directory support with samba4. But we also would like to change the authentication to a kerberos realm for the linux boxes.

So I set up a samba4 domain controller and a MIT kerberos server. For the sake of details, the samba4 version is 4.0.3 from debian experimental (as the beta3 version in wheezy didnt'do well with external cifs server) on a wheezy.

Now I want to set up cross-realm trust between kerberos and the internal kerberos of samba4 (I would like the ticket being useable on both realms).
I created principals for the two realms.

Let's say REALM1 = Kerberos MIT
and REALM2 = samba4

I created krbtgt/REALM1 at REALM2 and krbtgt/REALM2 at REALM1 on both realms using kadmin for the kerberos part, samba-tool (create a user, create principals for this user, and exportkeytab for these principals). I used same password. I tried to create the keytab first on samba4 and after on kerberos but none work.

It seems that I am able to get a TGT from the foreign realm (REALM1 if I kinit-ed to REALM2 for example), but the TGS failed to be delivered, (TGS_REQ failing with   Decrypt integrity check failed). I am quite sure that ciphers are the same on both sides.

So now here's the question :

1. Is this possible ?
2. Is there something I missed
3. Maybe there's a better option to achieve what I want, or nearly achieve what I want.

Thank your for your work on samba, and for your help.

Best regards,
Manuel Sabban