[Samba] Samba 3 in MIT Kerberos Realm

Andrew Bartlett abartlet at samba.org
Wed Oct 22 13:25:56 GMT 2003

On Wed, 2003-10-22 at 10:07, Aaron Rosenblum wrote:
> Hi,
> 	I have been reading through the docs for Samba 3, and there is a lot 
> of talk about how samba 3 can function in an AD domain as a member 
> server and accept kerberos service tickets issued by an MS KDC.  (net 
> ads join, etc...)
> 	I have a slightly different twist on a similar situation.  I have an 
> MIT kerberos realm set up and my Windows2000 PCs get tickets from this 
> realm on login just fine.  I would like to set up a samba server as 
> purely a fileserver, and I want my PC clients to be able to mount samba 
> shares using Kerberos service tickets issued by my MIT KDC.  I know 
> many more people are probably using AD as their KDC, but we want to 
> decrease our reliance on AD.  (That is the idea, isn't it? :-) )  It 
> seems like this should work. Is this possible?  If so, how do I 
> configure the samba server?  What do I tell my Kerberos admin to put in 
> the keytab for samba?  ie smbserver/my.host.com at my.realm.com ???

This needs work - Jeremy was looking into the matter, but I'm not sure
what state it got to.    That said, if you have the windows side taking
the kerberos tickets, the rest only a matter of unwinding samba's 'not
using the keytab' work.

> As an addition, I am fine with managing my users locally on this samba 
> server (as opposed to binding to an LDAP server). Our KDC has a large 
> number of users in it, and I only want to give access to a very small 
> subset of these users.  I just want these users to be able to present a 
> service ticket from our MIT realm as authentication instead of being 
> prompted for a password.

Only users in /etc/passwd will be authenticated.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20031022/4ffa90c3/attachment.bin

More information about the samba mailing list