[Samba] Samba 3, Win2K, and MIT KDC -- possible?

Andrew Bartlett abartlet at samba.org
Tue Jan 28 11:33:31 GMT 2003

On Fri, 2003-01-24 at 20:58, darkness wrote:
> 	After setting up Samba 3 I noticed the Windows 2000 box was
> requesting a ticket from the KDC for HOST/<NETBIOS NAME>@MYREALM.COM
> when it tried to connect to the Samba server.  I presume that W2K is
> sending the ticket it is granted along to the Samba server.  If that
> presumption is correct, is it possible to make Samba authenticate the
> user with the Kerberos ticket they present?  If so, how do I need to
> configure Samba and supporting software?
> 	I've got an MIT KDC set up in Linux along with OpenLDAP.
> Linux (Red Hat 8.0) is quite happily doing Kerberos authentication and
> using nss_ldap.  I've got a Windows 2000 workstation that is in a
> workgroup -- not in a domain of any sorts.  It is authenticating
> against the same MIT KDC on Linux (set up with KSETUP.EXE).  There is
> no Active Directory server on my network.  I don't really want any of
> the typical "domain" functionality; I don't mind having to create
> local user accounts for each user on the Windows machines, etc.
> 	I can supply log output, install strange software, CVS, more
> information on my environment, etc.  I've seen mentions in CVS of
> Andrew Tridgell connecting to smbd with smbclient and an MIT KDC in
> the middle, but no mention of whether this is possible with W2K in
> place of smbclient.  Any help greatly appreciated.

The main issue is getting Samba the password for the domain.  Once it
has the right krb5 keys, the rest should work...

Currently there is no way to set an arbitrary password, only a way to
join with the admin username/pw.  This means that Samba uses LDAP etc to
do it.  We need to add a 'net' command to set the password I think.  It
used to work - but that was in the initial stages when we didn't use our
internal secrets.tdb to store the password.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030128/946fc7b1/attachment.bin

More information about the samba mailing list