[Samba] Kerberos TGT support in Samba 3.0

Andrew Bartlett abartlet at samba.org
Tue May 20 23:19:27 GMT 2003

On Wed, 2003-05-21 at 03:18, Jerome Walter wrote:
> On Tue, May 20, 2003 at 06:53:13PM +0200, "Martin v. Löwis" wrote:
> > Jerome Walter wrote:
> > 
> > >I am trying to find a way to authenticate users on both Windows and unix
> > >stations against the same KDC (MIT) and it would help if Samba was able to
> > >grant access based on TGT tickets delivered to the windows client and then
> > >deliver accounting information to the stations.
> > 
> > You will have to add a service principal to your kdc, probably using 
> > kadmin addprinc/ktadd. I think the principial name should be 
> > "host at REALM". You then need to communicate the principal's key to the 
> > keytab on the SMB machine. (perhaps kadmin can do this all in one step).
> Just a few steps indeed.
> So, i should consider Samba 3 supports Kerberos authentication more than 2.2.x
> ;) 
> One point suprised me yet. When creating principals in the KDC we used to use
> host/hostname.domain.tld at REALM as instance/principal. Should i really add a
> principal without any instance ?
> > Your clients then don't use their TGT to get access to Samba, but 
> > instead go to the KDC which gives them a session ticket for the Samba 
> > service. With that session ticket, the clients open the connection to 
> > smbd, which validates the ticket based on the shared key that you had 
> > created in the KDC before.
> Yes, of course, i messed up my explanations while trying to write good
> english and to point out my problem.
> Is there any specific configuration to get this working or the compilation
> --with-krb5 and the parameters realm etc ... should be enough ?
> By the way, the server i am trying to cahnge was the PDC. Is there any
> possibility to keep the PDC functions working while using the Kerberos
> authentication ? I am starting to test a GINA with pam to get all the
> functions working, am i wrong ? Perhaps i missed something ...

It looks like you want the Active Directory DC support that we just
don't have yet :-).

Samba 3.0 currently can't join an MIT domain, and even if it could, you
still need to make the clients get their tickets from the MIT domain - a
non-trivial task.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030520/7facb4e3/attachment.bin

More information about the samba mailing list