[Samba] ADS with Kerberos trust

Fernando Fonseca fernando.fonseca at triaton.com.br
Mon Nov 17 13:44:36 GMT 2003 

Hi Fergus,

Look at the PDF included in the /doc directory source package of Samba caled 
HOWTO Collection, in the section 4.3.5 and 7.4 you will see how to do it.

I understand that just seting the 2 following parameters you say to AD to use 
Kerberos:
security = ADS
encrypt password = yes

To test your kerberos conection you can use kinit and klist, usualy placed in 
/usr/kerberos/bin.

[ ]'s


On Saturday 15 November 2003 01:42, Fergus wrote:
> Hi Fernando,
> We are using Samba 3 and I got it to authenticate to ADS.. But the key
> is to try and get it to authenticate to ADS using the alternative
> kerberos mapping.  When you do thi mapping in AD you can login using
> kerberos credentials.  I'm just not sure how to tell Samba to do this.
>
> Fergus
>
> -----Original Message-----
> From: Fernando Fonseca [mailto:fernando.fonseca at triaton.com.br]
> Sent: Friday, 14 November 2003 9:31 PM
> To: Fergus McKenzie-Kay; samba at lists.samba.org
> Subject: Re: [Samba] ADS with Kerberos trust
>
>
> Fergus,
>
> What version of Samba are you using?
>
> With the version 3.0 if you set ¨encrypt password = yes¨ in smb.conf you
> will
> tell it to use Kerberos, but I think that you already do it.
>
> Other parameter is the ¨security = ADS¨ that enable the search in ADS.
>
> On Friday 14 November 2003 04:18, Fergus McKenzie-Kay wrote:
> > Hi,
> > We have an environment where we use LDAP and Kerberos and we are
> > having trouble setting up Samba with both of these. We also have a
> > win2k Active Directory server that has all the users mapped to our
> > kerberos realm.  Unfortunately when we try and configure to use the
> > Active Directory server for authentication it tries to use the native
> > win2k password and not the kerberos realm mapping. I have tried to set
> >
> > the smb.conf to the kerberos realm and the password server to the KDC
> > but I get: "session setup failed: NT_STATUS_NO_LOGON_SERVERS"
> >
> > Does anyone have any ideas how to make samba either use active
> > directory with the username mappings to kerberos?  Or simply use
> > kerberos authentication while and LDAP authorisation? I believe the
> > first solution would be easier as then AD would look after all the
> > details.. whereas when we tried to setup samba talking to kerberos and
> >
> > ldap, the ldap config needed changing and samba had to know how to
> > create users in kerberos and ldap.
> >
> > Any ideas would be appreciated.
> >
> > --
> > Fergus McKenzie-Kay <Linux at NerdIT.com>

-- 
Fernando Fonseca
Network Administrator
Tel: +55(11)4039-9260
Triaton do Brasil

More information about the samba mailing list