samba and kerberos

Notify Me notify.sina at gmail.com
Sat Jul 13 02:18:56 MDT 2013


Sorry for coming in another's conversation, but I wanted to know if the
smb.conf file described is for Samba4 AD .

Thanks
On Jul 13, 2013 8:40 AM, "Andrew Bartlett" <abartlet at samba.org> wrote:

> On Sat, 2013-07-13 at 09:20 +0200, Gémes Géza wrote:
> > 2013-07-11 15:45 keltezéssel, Manuel Sabban írta:
> > > Hi,
> > >
> > > I searched for quite some time now, and I am quite clueless of how to
> achieve our final configuration. I am not even sure that it is possible.
> > >
> > > Here's the thing.
> > >
> > > We have a a network with around 1000 computers I would say. It is
> mixed between windows and linux stations. Until now we had LDAP servers to
> authenticate against. The windows box autentications were managed by a
> samba3 with ldapsam backend.
> > >
> > > Now, we would like to deploy windows 7, with an active directory
> support with samba4. But we also would like to change the authentication to
> a kerberos realm for the linux boxes.
> > >
> > > So I set up a samba4 domain controller and a MIT kerberos server. For
> the sake of details, the samba4 version is 4.0.3 from debian experimental
> (as the beta3 version in wheezy didnt'do well with external cifs server) on
> a wheezy.
> > >
> > > Now I want to set up cross-realm trust between kerberos and the
> internal kerberos of samba4 (I would like the ticket being useable on both
> realms).
> > > I created principals for the two realms.
> > >
> > > Let's say REALM1 = Kerberos MIT
> > > and REALM2 = samba4
> > >
> > > I created krbtgt/REALM1 at REALM2 and krbtgt/REALM2 at REALM1 on both
> realms using kadmin for the kerberos part, samba-tool (create a user,
> create principals for this user, and exportkeytab for these principals). I
> used same password. I tried to create the keytab first on samba4 and after
> on kerberos but none work.
> > >
> > > It seems that I am able to get a TGT from the foreign realm (REALM1 if
> I kinit-ed to REALM2 for example), but the TGS failed to be delivered,
> (TGS_REQ failing with   Decrypt integrity check failed). I am quite sure
> that ciphers are the same on both sides.
> > >
> > > So now here's the question :
> > >
> > > 1. Is this possible ?
> > > 2. Is there something I missed
> > > 3. Maybe there's a better option to achieve what I want, or nearly
> achieve what I want.
> > >
> > > Thank your for your work on samba, and for your help.
> > >
> > > Best regards,
> > > Manuel Sabban
> > If you don't want additional headaches forget about the MIT KDC and
> > trust, simply joining the linux boxes to the samba4 AD does the trick.
>
> Thanks, that says exactly what I was going to say.
>
> > You have to install winbind (preferably 3.6.x for now), nss-winbind,
> > pam-winbind and pam-krb5 (exact names depends on distribution) on the
> > linux boxes, create a krb5.conf like:
>
> My only question is why 3.6 winbind?   The only issues we have had that
> I know of are in the winbind internal to the AD DC, the Samba 4.0
> winbindd should be fine, if packaged for your distribution.
>
> Andrew Bartlett
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>
>


More information about the samba-technical mailing list