[Samba] Kerberos TGT support in Samba 3.0

Martin v. Löwis martin at v.loewis.de
Wed May 21 18:57:53 GMT 2003

Jerome Walter <walter+samba at efrei.fr> writes:

> > Samba 3.0 currently can't join an MIT domain, and even if it could, you
> > still need to make the clients get their tickets from the MIT domain - a
> > non-trivial task.
> Yes, i know. I was wondering about using pgina (a replacement for msgina that
> uses pam-like authentication) by adding a pam_krb5 module. 

Wouldn't replacing the _kerberos._tcpip DNS entry be sufficient to
have clients use a different KDC?

> What i asked myself (and to you) was if there was no way to get NT Kerberos
> credentials already acquired against the KDC to authenticate against PDC and
> so avaoid re-authenticating on the NTLM manner, and thus avoid sending the
> passord, even encrypted, on the network.

You would have to setup a trust relationship between the two KDCs. I
think Microsoft has some documentation about that.


More information about the samba mailing list