Is Kerberos Required on Linux to Enable NTLM Authentication ONLY Using Samba / Winbind to a Windows AD Domain?

Vince George (vincgeor) vincgeor at cisco.com
Sun Nov 23 16:26:25 MST 2014 

Hi Denis,

Thanks for the reply.

When I re-run klist after connecting to the Sharepoint site no new Kerberos tickets show in the list. Note, we are connecting via a middle-tier that has NTLM as a authentication choice but not Kerberos. 

We got as far as installing Samba/Winbind on the Linux server. When setting up Winbind we get the following error during the net join...

net rpc join -U root%xxxxxxx
 
Unable to find a suitable server for domain ITSERVICES                         #
DOMAIN OR WORKGROUP NAME
Unable to find a suitable server for domain ITSERVICES                         #
DOMAIN OR WORKGROUP NAME

Looking up the error there are several references on the Web that suggest Kerberos should be installed & configured as a prerequisite. Also, the suggestion is we switch from security = domain to security = ADS (Active Directory is used on the Windows side) and run a: net ads join  -S <Windows domain server>  -U  adminuser%password.

Does this sound correct?

Thanks... Vince

-----Original Message-----
From: Denis Cardon [mailto:denis.cardon at tranquil-it-systems.fr] 
Sent: Saturday, November 22, 2014 12:29 PM
To: Vince George (vincgeor); samba-technical at lists.samba.org
Subject: Re: Is Kerberos Required on Linux to Enable NTLM Authentication ONLY Using Samba / Winbind to a Windows AD Domain?

Hi Vince,

> I think I may be working of bad setup instructions which never mention any Kerberos setup pre-requisite prior to installing & configuring Samba / Winbind on a Linux box for the sole purpose of enabling NTLM authentication to a Windows AD domain to connect to a Share Point site (which uses that authentication).
>
> So the question... Is Kerberos Required on Linux to Enable NTLM Authentication ONLY Using Samba / Winbind to a Windows AD Domain?

it is much easier to configure sso through kerberos. You can check on a
win7 desktop if internet explorer has negotiated kerberos or ntlm auth. 
After connecting to your sharepoint, you check if you have a ticket in your kerberos credential cache using the command klist. You should have something like HTTP/myserver.mydomain.local at MYDOMAIN.LOCAL.

If it is the case, then you install krb5-user/krb5-workstation and edit your /etc/krb5.conf file, then try kinit. If it works, in your firefox, you go in about:config and add your dns domain in the network.negotiate-auth.trusted-uris key.

Hope this helps,

Denis



>
> Thanks... Vince
>


--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

More information about the samba-technical mailing list