[Samba] Samba and Kerberos V

Gémes Géza geza at kzsdabas.sulinet.hu
Mon Jan 10 20:29:44 GMT 2005


pll+samba at permabit.com írta:

>>>>>>On Mon, 10 Jan 2005, "Jukka" == Jukka Salmi wrote:
>>>>>>            
>>>>>>
>
>  Jukka> Does Samba have native Kerberos V support, i.e. is it
>  Jukka> possible to authenticate against a (Heimdal, in our case)
>  Jukka> kdc?
>
>  
>
>>>>>>On Mon, 10 Jan 2005, "Ganeshram" == Ganeshram Iyer wrote:
>>>>>>            
>>>>>>
>
>  Ganeshram> I had just recently asked this question on this.
>
>I see this question pop up on this list every so often, but one thing 
>I never see addressed is whether or not Samba can be used to 
>autheticate to the localhost, which, using PAM, could then 
>authenticate against Kerberos.  Apache can do this, or use it's 
>mod_auth_krb5 module.  Why can't Samba do something similar?
>
>People who have an existing MIT kerberos implementation aren't going
>to want to switch over to Heimdal.  And storing kerberos data in LDAP
>just seems like an inherently bad idea to begin with.
>
>
>  
>
What you are asking for is not possible, as long as:
-Windows clients, and Samba server aren't configured to use plain text 
passwords (quite a bad idea IMHO).
-Windows clients do not treat Samba as an Active Directory controler 
(see Samba4) which trust your MIT Kerberos server.
-Windows clients aren't part of an Active Directory domain which trust 
your MIT Kerberos server.
The problem is, that when Windows clients send the encrypted NT hashes 
to the Samba server, there is no way to get back the plaintext from it, 
and thus no possibility, to authenticate using that against Kerberos.
I don't know too much about authenticating Windows workstations directly 
against MIT Kerberos, and have no idea, that in that condition the 
workstation attempt or not a Kerberos authentication, when trying to 
connect to Samba server. If no then you can't do anything :-(. If yes 
there would be a need for some patches to the winbind daemon which would 
allow it to authenticate against MIT Kerberos, instead of  Active 
Directory (also Kerberos based).

Cheers,

Geza


More information about the samba mailing list