[Samba] Kerberos and Samba
tarjei at nu.no
Mon Apr 12 09:45:40 GMT 2004
On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote:
> On Sat, Apr 10, 2004 at 12:09:49PM +0200, Sensei wrote:
> > Hi.
> > I've built an afs cell, a kerberos kdc, an openldap server, all
> > kerberized. Now all linux clients can login on the cell using k5
> > authentication, finding informations about their home dirs with ldap.
> > Their home reside on the afs cell, which allows r/w access since it
> > releases a token from the k5 ticket. All macosx clients can login as
> > well... but what about windows? ^___^;;;
> > I've been sent here from a kerberos group, telling me samba could be
> > useful.
> > I'd like to avoid creating windows users on every windows client... and
> > I know I can set up an AD server, creating users on kerberos/afs/ldap
> > AND the same users on AD... quite long...
> > Is samba of any use? Can I grant tickets and tokens via samba, mapping
> > windows home directories on the afs home dir? This information can be
> > retrieved from openldap...
> Samba cannot use the kerberos tickets directly - not unless the KDC is
> Active Directory (for now). But it is possible for Samba to use the
> same password store. (For NTLM, but not kerberos passwords)
> What is your KDC? MIT or Heimdal? Are you using the Heimdal LDAP backend?
> If you are running Heimdal, what version? Could you run a current snapshot?
> While the work is still new, there is support in Heimdal to read Samba
> password entries in LDAP. There is also an OpenLDAP plugin to set
> both Samba and Kerberos passwords on password change.
> You would need to manually edit your LDAP database, to expose the
> passwords in 'Samba' format - potentially a dump and restore of the
> Heimdal entries might do it, if the sambaSamAccount objectClass was
> added, and you used a current snapshot.
So doing it this way means that you do not need to modify samba in any
> (The type 23 arcfour-hmac-md5 enctype is the Samba NT password)
> Andrew Bartlett
More information about the samba