[Samba] Samba and Kerberos V
Jukka Salmi
jukka at salmi.ch
Tue Jan 11 17:10:00 GMT 2005
Gémes Géza --> samba (2005-01-10 21:29:44 +0100):
> pll+samba at permabit.com írta:
>
> >>>>>>On Mon, 10 Jan 2005, "Jukka" == Jukka Salmi wrote:
> >>>>>>
> >>>>>>
> >
> > Jukka> Does Samba have native Kerberos V support, i.e. is it
> > Jukka> possible to authenticate against a (Heimdal, in our case)
> > Jukka> kdc?
[...]
> >
> >I see this question pop up on this list every so often, but one thing
> >I never see addressed is whether or not Samba can be used to
> >autheticate to the localhost, which, using PAM, could then
> >authenticate against Kerberos. Apache can do this, or use it's
> >mod_auth_krb5 module. Why can't Samba do something similar?
[...]
> >
> What you are asking for is not possible, as long as:
> -Windows clients, and Samba server aren't configured to use plain text
> passwords (quite a bad idea IMHO).
> -Windows clients do not treat Samba as an Active Directory controler
> (see Samba4) which trust your MIT Kerberos server.
> -Windows clients aren't part of an Active Directory domain which trust
> your MIT Kerberos server.
> The problem is, that when Windows clients send the encrypted NT hashes
> to the Samba server, there is no way to get back the plaintext from it,
> and thus no possibility, to authenticate using that against Kerberos.
> I don't know too much about authenticating Windows workstations directly
> against MIT Kerberos, and have no idea, that in that condition the
> workstation attempt or not a Kerberos authentication, when trying to
> connect to Samba server. If no then you can't do anything :-(. If yes
> there would be a need for some patches to the winbind daemon which would
> allow it to authenticate against MIT Kerberos, instead of Active
> Directory (also Kerberos based).
I don't know anything about how Win clients authenticate, but I managed
to configure a Win2k client to obtain a TGT from a Heimdal kdc during
login. This is quite well documented somewhere on Microsoft's website.
Would be great if this ticket allowed the client to access samba shares...
Cheers, Jukka
--
bashian roulette:
$ ((RANDOM%6)) || rm -rf ~
More information about the samba
mailing list