[Samba] Kerberos TGT support in Samba 3.0

"Martin v. Löwis" martin at v.loewis.de
Tue May 20 17:29:49 GMT 2003

Jerome Walter wrote:

> One point suprised me yet. When creating principals in the KDC we used to use
> host/hostname.domain.tld at REALM as instance/principal. Should i really add a
> principal without any instance ?

The question is what kind of tickets the Windows clients will request.
You should see for yourself, and check documentation etc, but I believe
Microsoft hasn't fully grasped the notion of service instances, and 
instead requests keys for "the machine"; it also doesn't use the FQDN.

Atleast that's what happens when I use smbclient to 
kerberos-authenticate in my W2k domain; such a ticket ends up in my
ticket cache.

> Yes, of course, i messed up my explanations while trying to write good
> english and to point out my problem.
> Is there any specific configuration to get this working or the compilation
> --with-krb5 and the parameters realm etc ... should be enough ?

I have tested the client side only so far, with the standard Debian 
packages of Samba 3.0. It worked out of the box. Kerberos authentication
is reported to work for the server side as well; you should to configure
the realm at run-time (i.e. not at compile-time).

> By the way, the server i am trying to cahnge was the PDC. Is there any
> possibility to keep the PDC functions working while using the Kerberos
> authentication ?

Why don't you use just the PDC Kerberos server, and authenticate 
everything against that? Works fine for me (except that Linux 
smbmount/smbfs doesn't support Kerberos authentication)


More information about the samba mailing list