Is Kerberos Required on Linux to Enable NTLM Authentication ONLY Using Samba / Winbind to a Windows AD Domain?
Vince George (vincgeor)
vincgeor at cisco.com
Sun Nov 23 16:26:25 MST 2014
Hi Denis,
Thanks for the reply.
When I re-run klist after connecting to the Sharepoint site no new Kerberos tickets show in the list. Note, we are connecting via a middle-tier that has NTLM as a authentication choice but not Kerberos.
We got as far as installing Samba/Winbind on the Linux server. When setting up Winbind we get the following error during the net join...
net rpc join -U root%xxxxxxx
Unable to find a suitable server for domain ITSERVICES #
DOMAIN OR WORKGROUP NAME
Unable to find a suitable server for domain ITSERVICES #
DOMAIN OR WORKGROUP NAME
Looking up the error there are several references on the Web that suggest Kerberos should be installed & configured as a prerequisite. Also, the suggestion is we switch from security = domain to security = ADS (Active Directory is used on the Windows side) and run a: net ads join -S <Windows domain server> -U adminuser%password.
Does this sound correct?
Thanks... Vince
-----Original Message-----
From: Denis Cardon [mailto:denis.cardon at tranquil-it-systems.fr]
Sent: Saturday, November 22, 2014 12:29 PM
To: Vince George (vincgeor); samba-technical at lists.samba.org
Subject: Re: Is Kerberos Required on Linux to Enable NTLM Authentication ONLY Using Samba / Winbind to a Windows AD Domain?
Hi Vince,
> I think I may be working of bad setup instructions which never mention any Kerberos setup pre-requisite prior to installing & configuring Samba / Winbind on a Linux box for the sole purpose of enabling NTLM authentication to a Windows AD domain to connect to a Share Point site (which uses that authentication).
>
> So the question... Is Kerberos Required on Linux to Enable NTLM Authentication ONLY Using Samba / Winbind to a Windows AD Domain?
it is much easier to configure sso through kerberos. You can check on a
win7 desktop if internet explorer has negotiated kerberos or ntlm auth.
After connecting to your sharepoint, you check if you have a ticket in your kerberos credential cache using the command klist. You should have something like HTTP/myserver.mydomain.local at MYDOMAIN.LOCAL.
If it is the case, then you install krb5-user/krb5-workstation and edit your /etc/krb5.conf file, then try kinit. If it works, in your firefox, you go in about:config and add your dns domain in the network.negotiate-auth.trusted-uris key.
Hope this helps,
Denis
>
> Thanks... Vince
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba-technical
mailing list