[Samba] Kerberos TGT support in Samba 3.0

Jerome Walter walter+samba at efrei.fr
Tue May 20 17:18:29 GMT 2003 

On Tue, May 20, 2003 at 06:53:13PM +0200, "Martin v. Löwis" wrote:
> Jerome Walter wrote:
> 
> >I am trying to find a way to authenticate users on both Windows and unix
> >stations against the same KDC (MIT) and it would help if Samba was able to
> >grant access based on TGT tickets delivered to the windows client and then
> >deliver accounting information to the stations.
> 
> You will have to add a service principal to your kdc, probably using 
> kadmin addprinc/ktadd. I think the principial name should be 
> "host at REALM". You then need to communicate the principal's key to the 
> keytab on the SMB machine. (perhaps kadmin can do this all in one step).

Just a few steps indeed.
So, i should consider Samba 3 supports Kerberos authentication more than 2.2.x
;) 
One point suprised me yet. When creating principals in the KDC we used to use
host/hostname.domain.tld at REALM as instance/principal. Should i really add a
principal without any instance ?

> Your clients then don't use their TGT to get access to Samba, but 
> instead go to the KDC which gives them a session ticket for the Samba 
> service. With that session ticket, the clients open the connection to 
> smbd, which validates the ticket based on the shared key that you had 
> created in the KDC before.

Yes, of course, i messed up my explanations while trying to write good
english and to point out my problem.

Is there any specific configuration to get this working or the compilation
--with-krb5 and the parameters realm etc ... should be enough ?

By the way, the server i am trying to cahnge was the PDC. Is there any
possibility to keep the PDC functions working while using the Kerberos
authentication ? I am starting to test a GINA with pam to get all the
functions working, am i wrong ? Perhaps i missed something ...


TIA for your replies


Jerome

-- 
-+--   Jérôme Walter - 	I2 EFREI		          ----+-
 Equipe Système - Efrei Robotique - Jap'Efrei - Erasmus Tutors
 "The World is my country" - "Nihon no tomodachi desu"
EFREI System and Networking guide http://perso.efrei.fr/~walter/

More information about the samba mailing list