samba and kerberos
Manuel Sabban
manuel.sabban at telecom-paristech.fr
Thu Jul 11 07:45:01 MDT 2013
Hi,
I searched for quite some time now, and I am quite clueless of how to achieve our final configuration. I am not even sure that it is possible.
Here's the thing.
We have a a network with around 1000 computers I would say. It is mixed between windows and linux stations. Until now we had LDAP servers to authenticate against. The windows box autentications were managed by a samba3 with ldapsam backend.
Now, we would like to deploy windows 7, with an active directory support with samba4. But we also would like to change the authentication to a kerberos realm for the linux boxes.
So I set up a samba4 domain controller and a MIT kerberos server. For the sake of details, the samba4 version is 4.0.3 from debian experimental (as the beta3 version in wheezy didnt'do well with external cifs server) on a wheezy.
Now I want to set up cross-realm trust between kerberos and the internal kerberos of samba4 (I would like the ticket being useable on both realms).
I created principals for the two realms.
Let's say REALM1 = Kerberos MIT
and REALM2 = samba4
I created krbtgt/REALM1 at REALM2 and krbtgt/REALM2 at REALM1 on both realms using kadmin for the kerberos part, samba-tool (create a user, create principals for this user, and exportkeytab for these principals). I used same password. I tried to create the keytab first on samba4 and after on kerberos but none work.
It seems that I am able to get a TGT from the foreign realm (REALM1 if I kinit-ed to REALM2 for example), but the TGS failed to be delivered, (TGS_REQ failing with Decrypt integrity check failed). I am quite sure that ciphers are the same on both sides.
So now here's the question :
1. Is this possible ?
2. Is there something I missed
3. Maybe there's a better option to achieve what I want, or nearly achieve what I want.
Thank your for your work on samba, and for your help.
Best regards,
Manuel Sabban
More information about the samba-technical
mailing list