[Samba] Kerberos TGT support in Samba 3.0

Jerome Walter walter+samba at efrei.fr
Wed May 21 11:16:27 GMT 2003 

On Wed, May 21, 2003 at 09:19:10AM +1000, Andrew Bartlett wrote:
> On Wed, 2003-05-21 at 03:18, Jerome Walter wrote:
> > By the way, the server i am trying to cahnge was the PDC. Is there any
> > possibility to keep the PDC functions working while using the Kerberos
> > authentication ? I am starting to test a GINA with pam to get all the
> > functions working, am i wrong ? Perhaps i missed something ...
> 
> It looks like you want the Active Directory DC support that we just
> don't have yet :-).

Yes and no. Actually i do not want to have the whole AD domain. What i need is
to sync Nt passwords with unices ones. Currently, we have Unices
authenticating and getting accounts from an LDAP server. I would like to
minimize the changes for unices and do not want them to authenticate against
NT domain.

It seemed that Kerberos could have been the solution, but i am open to any
other.

> Samba 3.0 currently can't join an MIT domain, and even if it could, you
> still need to make the clients get their tickets from the MIT domain - a
> non-trivial task.


Yes, i know. I was wondering about using pgina (a replacement for msgina that
uses pam-like authentication) by adding a pam_krb5 module. This would
authenticate the Nt station against the Kerberos KDC and then let msgina get
the standard NT domain authentication against Samba PDC.

What i asked myself (and to you) was if there was no way to get NT Kerberos
credentials already acquired against the KDC to authenticate against PDC and
so avaoid re-authenticating on the NTLM manner, and thus avoid sending the
passord, even encrypted, on the network.
I am aware that it is not standard and so should not be implemented, but i was
wondering about any trick to do so.

The point is that i think i will have to implement the pam_krb5 module for
pgina if there is no contradiction with standard authentication. Or prehaps
someone has an experience to share about my password syncing problem ?


Jerome


-- 
-+--   Jérôme Walter - 	I2 EFREI		          ----+-
 Equipe Système - Efrei Robotique - Jap'Efrei - Erasmus Tutors
 "The World is my country" - "Nihon no tomodachi desu"
EFREI System and Networking guide http://perso.efrei.fr/~walter/

More information about the samba mailing list