Kerberos 4 logon to SAMBA

Allan Bjorklund allan at
Mon Nov 3 18:17:44 GMT 1997

   I've noticed quite a few people on this list asking for a way of
 logging their users onto a SAMBA server using Kerberos.  We've done
 this by writing a GINA for NT and a network provider wrapper for

   The GINA and NP wrapper also allow us to manage some of the account
 features for the users logging in.

   When the user authenticates to NT or 95, they do so using their
 Kerberos identity.  The GINA or NP wrapper then calls what we call
 the Pseudo Domain server, which is running along side of SAMBA on the
 server box.  The PD server authenticates the user using Kerberos and
 then looks up their "user record" which is a variant on the MS
 USER_INFO_3 struct.

   Using the private message functions to encrypt the network traffic,
 the client can request the appropriate information to set up the
 account and also request the password to logon to SAMBA.

   Once the local account has been created.  The GINA/NP wrapper drops
 the password they received into the normal MS logon sequence.  The
 client then does the normal logon to SAMBA (which has been modified to
 look for password in our user records).

   We also have an additional step to authenticate our users to their
 AFS space.

   Since our users never need to know their passwords for the SAMBA
 server we don't have to keep them synched with any other password
 database and can regularly change them on each server.

   The modified SAMBA source, Pseudo Domain server, and the binaries
 for Windows 95/NT, may be found at this URL:

   There is some very crude instructions on how to set everything up,
 and the Windows pieces use Kerberos 95.

   Also included with this is a shell extension for 95/NT4.0 that will
 talk to a named pipe we added to SAMBA to allow you to view/set UNIX
 and AFS permissions.

--Allan Bjorklund
  allan at

More information about the samba mailing list