[Samba] Kerberos TGT support in Samba 3.0

Jerome Walter walter+samba at efrei.fr
Wed May 21 05:40:50 GMT 2003 

On Tue, May 20, 2003 at 07:29:49PM +0200, "Martin v. Löwis" wrote:
> Jerome Walter wrote:
> 
> >One point suprised me yet. When creating principals in the KDC we used to 
> >use
> >host/hostname.domain.tld at REALM as instance/principal. Should i really add a
> >principal without any instance ?
> 
> The question is what kind of tickets the Windows clients will request.
> You should see for yourself, and check documentation etc, but I believe
> Microsoft hasn't fully grasped the notion of service instances, and 
> instead requests keys for "the machine"; it also doesn't use the FQDN.

I was thinking W2k to use AD-like authentication process (using PAC
extensions) when configured with Kerberos... I'll look a this. 

> Atleast that's what happens when I use smbclient to 
> kerberos-authenticate in my W2k domain; such a ticket ends up in my
> ticket cache.

Yep, but smbclient is a lot smarter than a whole W2k station ;)

> I have tested the client side only so far, with the standard Debian 
> packages of Samba 3.0. It worked out of the box. Kerberos authentication
> is reported to work for the server side as well; you should to configure
> the realm at run-time (i.e. not at compile-time).
> 
> >By the way, the server i am trying to cahnge was the PDC. Is there any
> >possibility to keep the PDC functions working while using the Kerberos
> >authentication ?
> 
> Why don't you use just the PDC Kerberos server, and authenticate 
> everything against that? Works fine for me (except that Linux 
> smbmount/smbfs doesn't support Kerberos authentication)

Not so easy ... W2k is looking for an AD domain controller when setting up
with ksetup.exe and Samba/MIT KDC does not support PAC extensions. W2k Should
not be able to get accounting info (rid, primaryGroupID ...) well.

Anyway, i'll try this today but i am not sure about how you configured this.

Jerome

-- 
-+--   Jérôme Walter - 	I2 EFREI		          ----+-
 Equipe Système - Efrei Robotique - Jap'Efrei - Erasmus Tutors
 "The World is my country" - "Nihon no tomodachi desu"
EFREI System and Networking guide http://perso.efrei.fr/~walter/

More information about the samba mailing list