[Samba] Samba and Kerberos V

Jukka Salmi jukka at salmi.ch
Tue Jan 11 17:10:00 GMT 2005

Gémes Géza --> samba (2005-01-10 21:29:44 +0100):
> pll+samba at permabit.com írta:
> >>>>>>On Mon, 10 Jan 2005, "Jukka" == Jukka Salmi wrote:
> >>>>>>           
> >>>>>>
> >
> > Jukka> Does Samba have native Kerberos V support, i.e. is it
> > Jukka> possible to authenticate against a (Heimdal, in our case)
> > Jukka> kdc?
> >
> >I see this question pop up on this list every so often, but one thing 
> >I never see addressed is whether or not Samba can be used to 
> >autheticate to the localhost, which, using PAM, could then 
> >authenticate against Kerberos.  Apache can do this, or use it's 
> >mod_auth_krb5 module.  Why can't Samba do something similar?
> >
> What you are asking for is not possible, as long as:
> -Windows clients, and Samba server aren't configured to use plain text 
> passwords (quite a bad idea IMHO).
> -Windows clients do not treat Samba as an Active Directory controler 
> (see Samba4) which trust your MIT Kerberos server.
> -Windows clients aren't part of an Active Directory domain which trust 
> your MIT Kerberos server.
> The problem is, that when Windows clients send the encrypted NT hashes 
> to the Samba server, there is no way to get back the plaintext from it, 
> and thus no possibility, to authenticate using that against Kerberos.
> I don't know too much about authenticating Windows workstations directly 
> against MIT Kerberos, and have no idea, that in that condition the 
> workstation attempt or not a Kerberos authentication, when trying to 
> connect to Samba server. If no then you can't do anything :-(. If yes 
> there would be a need for some patches to the winbind daemon which would 
> allow it to authenticate against MIT Kerberos, instead of  Active 
> Directory (also Kerberos based).

I don't know anything about how Win clients authenticate, but I managed
to configure a Win2k client to obtain a TGT from a Heimdal kdc during
login. This is quite well documented somewhere on Microsoft's website.

Would be great if this ticket allowed the client to access samba shares...

Cheers, Jukka

bashian roulette:
$ ((RANDOM%6)) || rm -rf ~

More information about the samba mailing list