[Samba] Kerberos and Samba

Aaron Rosenblum arosenbl at mac.com
Sat Apr 10 22:30:49 GMT 2004 

In reply to my own message, I do know that you can set up a trust between a UNIX (in our case) MIT Kerberos realm and AD so that your users can use thier UNIX Kerberos credentials to log into their machines and access standard kerberos services, but also use the services that require AD at the same time (without logging in again).  The logic would follow that you could, then bind a samba server to the AD in this setup and then could use it from windows, even though you initially logged in with your UNIX Kerberos/LDAP identity.  I have not been able to get *this* to work either, samba member server will bind to the AD, but when I try to log into it from a windows client that has both a TGT from our MIT KDC and our AD KDC (which trusts the MIT one) I get a variety of errors, none seeming all to consistent.  Can anyone on the samba team comment as to wether a setup like this should work?  In theory, i would expect it too...

Aaron 


On Saturday, April 10, 2004, at 06:22PM, Aaron Rosenblum <arosenbl at mac.com> wrote:

>What I think you are trying to do is have a Samba file server be a member of a Kerbreros (MIT) realm outside of the use of Active Directory.  In my experience, I have not been able to get this to work, since although samba seems to be able to use LDAP for user account information, it can't seem to be able to use an MIT based KDC authentication backend.  To do this, you would need to be able to install a keytab file on your samba server so it would work with your KDC.  I have not been able to figure out how to do this (although you can get it to work with an AD KDC).  I would love to hear otherwise because we need this ability for our site as well.
>
>Aaron 
>
>
>On Saturday, April 10, 2004, at 06:09AM, Sensei <senseiwa at tin.it> wrote:
>
>>Hi. 
>>
>>I've built an afs cell, a kerberos kdc, an openldap server, all 
>>kerberized. Now all linux clients can login on the cell using k5 
>>authentication, finding informations about their home dirs with ldap. 
>>Their home reside on the afs cell, which allows r/w access since it 
>>releases a token from the k5 ticket. All macosx clients can login as 
>>well... but what about windows? ^___^;;; 
>>
>>I've been sent here from a kerberos group, telling me samba could be
>>useful. 
>>
>>I'd like to avoid creating windows users on every windows client... and
>>I know I can set up an AD server, creating users on kerberos/afs/ldap
>>AND the same users on AD... quite long... 
>>
>>Is samba of any use? Can I grant tickets and tokens via samba, mapping
>>windows home directories on the afs home dir? This information can be
>>retrieved from openldap... 
>>
>>Any hint?
>>-- 
>>Sensei    <mailto:senseiwa at tin.it>
>>          <icqnum:241572242>
>>          <msn-id:Sensei_Sen at hotmail.com>
>>A)bort, R)etry, I)nfluence with large hammer.
>>
>>
>>-- 
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  http://lists.samba.org/mailman/listinfo/samba
>>
>>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  http://lists.samba.org/mailman/listinfo/samba
>
>

More information about the samba mailing list