[Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)

[Yongjun Rong]

Hi, Andrew, 
   Thank you very much for your answer.
   Now our case is as below:
   1, our client machine is the windows 2000 
   2, We want our Kerberos run in the Unix box.
   3, We also want the samba as PDC for all windows user and machine.
   4, We want integrate the Kerberos Authentication with samba authentication.
   So in this situation, can we get the kerberos login from the windows 2000 client 
because the windows 2000 is support kerberos authenctication. If it can, where can I 
start?
   I have already setup the environment for windows 2000 client auhtenticating 
himself to the Kerberos Realm in the Solaris and authenticate the samba domain user 
to the local windows 2k machine. But this two cases are seperated from each other 
which means the kerberos authentication use the kerberos password and samba PDC 
authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the 
kerberos user to the local or samba domain user and then do the authentication to 
the kerberos. So we really want is, when we do the samba PDC authentication we can 
use the kerberos password. I don't know if it right. PLS correct me .
  Thank you very much.
  John

---- Original Message ----
From:		Andrew Bartlett
Date:		Mon 10/28/02 17:24
To:		Yongjun Rong
Cc:		abartlet at samba.org
Subject:	Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS)

Yongjun Rong wrote:
> 
> Hi, Andrew,
>    This is John from Texas Tech University.I have read your reply about samba and
> kerberos. May I ask you some question about samba and Kerberos.
>    1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris)
> as the authentication services and store samba user and passwd in the kerberos
> database directly but not using OpenLDAP?

If you can get the clients to send you a kerberos login without using
ADS, then the modification is realitivly simple, and is part of the work
towards an Active Directory replacement.

>    2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS.
> Where can start to change the source to enable the support for MIT or SEAM in
> solaris? How can I do it? I have download the source of samba3.0alpha20. And I also
> have configure the samba as a PDC for my win2k client.

You can't do PDC stuff with this kind of setup, not until we get a *lot*
more Active Directory work done.

>    3, You said that samba should support the MIT kerberos. But not at this moment.
> Did it support keberos in the older version or not? which version? If it was not
> support. I wish I can do something for it.
>    Thank you very much for your help.
>    John.

In a very old version, we used the host keytab.  Now we use our own
secrets.tdb file, which we maintain.  This is becouse in an ADS
environment, we need to do both NT authentication and Kerberos.

Please put questions to the list, so that others may see the replies. 
CC me if you want me to actually read it however :-)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net