[Samba] samba with NTLM *and* kerberos authentication

Andrew Bartlett abartlet at samba.org
Mon Aug 8 18:13:36 GMT 2005 

On Tue, 2005-08-09 at 04:10 +1000, Andrew Bartlett wrote:
> On Fri, 2005-08-05 at 16:41 -0400, alex.nishri at utoronto.ca wrote:
> > We have an existing samba server with many userids, using NTLM 
> > authentication (stored in OpenLDAP). We would like to add many other
> > userids, which will authenticate against an existing MIT kerberos server.
> > Each of our customers will have either an NTLM-based userid/password, or
> > a kerberos-based userid/password, but never both.
> > 
> > We would like both kinds of userids to work with the same samba server.
> > e.g. in a PC lab, if a customer enters kerberosUserid at REALMNAME.EDU
> > it should authenticate against our kerberos server, and allow access
> > to that user's Samba space; if another customer enters NTLMUserid,
> > it should authenticate using NTLM (stored in our OpenLDAP), and
> > allow access to that user's Samba space.
> > 
> > Is this possible ?
> 
> This should be possible, if you setup samba into the kerberos realm with
> cifs/.... and host/.... entries.  Put 'use kerberos keytab = yes' in
> your smb.conf, and it should sort of work.
> 
> Have a play, see how you go.

I should note that getting windows to accept the login is entirely your
problem - see the MIT/Windows interop stuff, but I've never dealt with
that.  

My other proposal is to move to a Heimdal kerberos server, and share the
arcfour-hmac-md5 (aka NT hash) keys with Samba, so that Samba does NTLM
authentication, but you can do kerberos to non-windows clients.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20050809/0f58be00/attachment.bin

More information about the samba mailing list