[Samba] Kerberos TGT support in Samba 3.0
"Martin v. Löwis"
martin at v.loewis.de
Tue May 20 16:53:13 GMT 2003
Jerome Walter wrote:
> I am trying to find a way to authenticate users on both Windows and unix
> stations against the same KDC (MIT) and it would help if Samba was able to
> grant access based on TGT tickets delivered to the windows client and then
> deliver accounting information to the stations.
You will have to add a service principal to your kdc, probably using
kadmin addprinc/ktadd. I think the principial name should be
"host at REALM". You then need to communicate the principal's key to the
keytab on the SMB machine. (perhaps kadmin can do this all in one step).
Your clients then don't use their TGT to get access to Samba, but
instead go to the KDC which gives them a session ticket for the Samba
service. With that session ticket, the clients open the connection to
smbd, which validates the ticket based on the shared key that you had
created in the KDC before.
More information about the samba