Kerberos support on Samba

Vikram Bharti vikrambharti33 at
Wed Mar 3 15:27:21 UTC 2021


Was going through this.

And I found that we do support Kerberos.  Please correct my understanding

Assumption 1:- does this mean if a user x has permission on SMB share then
he can access SMB shares by sending credentials to callback API and Samba
can use those tokens to forward it to SMB shares and provide the access?
What i understand from t*estBrowse *example , just enable the Kerberos flag
and pass the user credential to call back function. Which internally uses
Kinit to pass the credentials and get TGT and TGS exchanged. And then
libsmbclient forward the request to SMB shares with  TGS received and
initiate TCP session.

Assumption 2:- it's only possible to get the token for the service account
set up for a computer account as mentioned below.

Setspn -s http/<computer-name>.<domain-name> <domain-user-account>


More information about the samba-technical mailing list