[Samba] Kerberos TGT support in Samba 3.0
Martin v. Löwis
martin at v.loewis.de
Wed May 21 18:57:53 GMT 2003
Jerome Walter <walter+samba at efrei.fr> writes:
> > Samba 3.0 currently can't join an MIT domain, and even if it could, you
> > still need to make the clients get their tickets from the MIT domain - a
> > non-trivial task.
>
>
> Yes, i know. I was wondering about using pgina (a replacement for msgina that
> uses pam-like authentication) by adding a pam_krb5 module.
Wouldn't replacing the _kerberos._tcpip DNS entry be sufficient to
have clients use a different KDC?
> What i asked myself (and to you) was if there was no way to get NT Kerberos
> credentials already acquired against the KDC to authenticate against PDC and
> so avaoid re-authenticating on the NTLM manner, and thus avoid sending the
> passord, even encrypted, on the network.
You would have to setup a trust relationship between the two KDCs. I
think Microsoft has some documentation about that.
Regards,
Martin
More information about the samba
mailing list