[Samba] samba3 and kerberos authentication of users

Ti Leggett leggett at ci.uchicago.edu
Thu May 26 14:05:19 GMT 2005 

The with Kerberos option is only to allow samba to authenticate to a
Microsoft Active Directory Kerberos server. You basically have two
options: keep using smbpasswd files or store the passwords in an LDAP
directory. It seems the recommended method by the Samba team is to use
LDAP. However, you can use the pam_smbpass module to keep smbpasswd
files updated with whatever other password methods you might use.
pam_smbpass does not work with LDAP stored passwords to my knowledge.

On Thu, 2005-05-26 at 10:05 +0200, David Komanek wrote:
> Hi all,
> 
> this is probably VFAQ, but I never found a working solution. I have a 
> standalone samba server running samba ver. 3. In the network, we have 
> heimdal kerberos used to authenticate users for pop3,imap,web-based 
> applications etc. Now I would like to make the samba communicating with 
> kerberos kdc so there will no longer be users in smbpasswd with separate 
> passwords outside of kerberos.
> 
> I already compiled samba with --with-krb5 configure switch and have 
> following options in smb.conf:
> 
> client use spnego = yes
> realm = KERBEROS.REALM.NAME
> use kerberos keytab = yes
> 
> While it is heimdal's kerberos implementation, I added
> 
> default_keytab_name = FILE:/etc/krb5.keytab
> 
> to the [libdefaults] section of /etc/krb5.conf
> as I saw somewhere. But this is still not working for me:
> 
> Debud on the client side:
> 
> $ smbclient -d3 -U komanek //127.0.0.1/homes
> lp_load: refreshing parameters
> Initialising global parameters
> params.c:pm_process() - Processing configuration file 
> "/usr/local/lib/smb.conf"
> Processing section "[global]"
> added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
> added interface ip=a.b.c.d bcast=a.b.c.255 
> nmask=255.255.255.0
> Client started (version 3.0.14a).
> Connecting to 127.0.0.1 at port 445
> Password:
> Doing spnego session setup (blob length=58)
> got OID=1 3 6 1 4 1 311 2 2 10
> got principal=NONE
> Got challenge flags:
> Got NTLMSSP neg_flags=0x608a0215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60080215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60080215
> SPNEGO login failed: Logon failure
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
> using -k switch in smbclient disables password prompt, but in other 
> aspects it has the same behavior, regardless I have valid kerberos ticket 
> or not.
> 
> Debug on the server side:
> 
> [2005/05/26 09:50:15, 4] lib/username.c:map_username(132)
>    Scanning username map /usr/local/etc/samba/smbusers
> [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info_map(224)
>    make_user_info_map: Mapping user [XXX.NATUR.CUNI.CZ]\[komanek] from 
> workstation [XXX]
> [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(132)
>    attempting to make a user_info for komanek (komanek)
> [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(142)
>    making strings for komanek's user_info struct
> [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(184)
>    making blobs for komanek's user_info struct
> [2005/05/26 09:50:15, 10] auth/auth_util.c:make_user_info(200)
>    made an encrypted user_info for komanek (komanek)
> [2005/05/26 09:50:15, 3] auth/auth.c:check_ntlm_password(219)
>    check_ntlm_password:  Checking password for unmapped user 
> [XXX.NATUR.CUNI.CZ]\[komanek]@[XXX] with the new password interface
> [2005/05/26 09:50:15, 3] auth/auth.c:check_ntlm_password(222)
>    check_ntlm_password:  mapped user is: [XXX]\[komanek]@[XXX]
> [2005/05/26 09:50:15, 10] auth/auth.c:check_ntlm_password(231)
> 
> 
> 
> What should I do to make the kerberos authentication in samba working ?
> 
> Thanks in advance,
> 
>    David Komanek
>

More information about the samba mailing list