Kerberos support on Samba
jra at samba.org
Thu Mar 4 22:59:42 UTC 2021
On Wed, Mar 03, 2021 at 08:57:21PM +0530, Vikram Bharti via samba-technical wrote:
>Was going through this.
>And I found that we do support Kerberos. Please correct my understanding
>Assumption 1:- does this mean if a user x has permission on SMB share then
>he can access SMB shares by sending credentials to callback API and Samba
>can use those tokens to forward it to SMB shares and provide the access?
>What i understand from t*estBrowse *example , just enable the Kerberos flag
>and pass the user credential to call back function. Which internally uses
>Kinit to pass the credentials and get TGT and TGS exchanged. And then
>libsmbclient forward the request to SMB shares with TGS received and
>initiate TCP session.
What do you mean by:
"Samba can use those tokens to forward it to SMB
shares and provide the access?"
Can you be really clear as to what you're asking
for here because I don't currently understand it :-).
>Assumption 2:- it's only possible to get the token for the service account
>set up for a computer account as mentioned below.
>Setspn -s http/<computer-name>.<domain-name> <domain-user-account>
Setspn is a Windows client command.
Again, what does:
"it's only possible to get the token for the service account"
mean for Samba ? Windows clients happily use krb5 from user
accounts to talk to Samba servers.
More information about the samba-technical