[Samba] Kerberos TGT support in Samba 3.0

"Martin v. Löwis" martin at v.loewis.de
Tue May 20 16:53:13 GMT 2003

Jerome Walter wrote:

> I am trying to find a way to authenticate users on both Windows and unix
> stations against the same KDC (MIT) and it would help if Samba was able to
> grant access based on TGT tickets delivered to the windows client and then
> deliver accounting information to the stations.

You will have to add a service principal to your kdc, probably using 
kadmin addprinc/ktadd. I think the principial name should be 
"host at REALM". You then need to communicate the principal's key to the 
keytab on the SMB machine. (perhaps kadmin can do this all in one step).

Your clients then don't use their TGT to get access to Samba, but 
instead go to the KDC which gives them a session ticket for the Samba 
service. With that session ticket, the clients open the connection to 
smbd, which validates the ticket based on the shared key that you had 
created in the KDC before.


More information about the samba mailing list