[Samba] samba3 and kerberos authentication of users

Thu May 26 16:18:59 GMT 2005

Thanks a lot. Please, are there any plans for samba communicating directly
with kdc ? And if so, when approximately ? :-) Or would it be simple to do
a hack for this ?

Thanks,

   David

On Thu, 26 May 2005, Ti Leggett wrote:

> The with Kerberos option is only to allow samba to authenticate to a
> Microsoft Active Directory Kerberos server. You basically have two
> options: keep using smbpasswd files or store the passwords in an LDAP
> directory. It seems the recommended method by the Samba team is to use
> LDAP. However, you can use the pam_smbpass module to keep smbpasswd
> files updated with whatever other password methods you might use.
> pam_smbpass does not work with LDAP stored passwords to my knowledge.
>
> On Thu, 2005-05-26 at 10:05 +0200, David Komanek wrote:
>> Hi all,
>>
>> this is probably VFAQ, but I never found a working solution. I have a
>> standalone samba server running samba ver. 3. In the network, we have
>> heimdal kerberos used to authenticate users for pop3,imap,web-based
>> applications etc. Now I would like to make the samba communicating with
>> kerberos kdc so there will no longer be users in smbpasswd with separate
>> passwords outside of kerberos.
>>
>> I already compiled samba with --with-krb5 configure switch and have
>> following options in smb.conf:
>>
>> client use spnego = yes
>> realm = KERBEROS.REALM.NAME
>> use kerberos keytab = yes
>>
>> While it is heimdal's kerberos implementation, I added
>>
>> default_keytab_name = FILE:/etc/krb5.keytab
>>
>> to the [libdefaults] section of /etc/krb5.conf
>> as I saw somewhere. But this is still not working for me:
>>
>> Debud on the client side:
>>
>> $ smbclient -d3 -U komanek //127.0.0.1/homes
>> lp_load: refreshing parameters
>> Initialising global parameters
>> params.c:pm_process() - Processing configuration file
>> "/usr/local/lib/smb.conf"
>> Processing section "[global]"
>> added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
>> added interface ip=a.b.c.d bcast=a.b.c.255
>> nmask=255.255.255.0
>> Client started (version 3.0.14a).
>> Connecting to 127.0.0.1 at port 445
>> Password:
>> Doing spnego session setup (blob length=58)
>> got OID=1 3 6 1 4 1 311 2 2 10
>> got principal=NONE
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x608a0215
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x60080215
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x60080215
>> SPNEGO login failed: Logon failure
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>> using -k switch in smbclient disables password prompt, but in other
>> aspects it has the same behavior, regardless I have valid kerberos ticket
>> or not.
>>
>> Debug on the server side:
>>
>> [2005/05/26 09:50:15, 4] lib/username.c:map_username(132)
>>    Scanning username map /usr/local/etc/samba/smbusers
>> [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info_map(224)
>>    make_user_info_map: Mapping user [XXX.NATUR.CUNI.CZ]\[komanek] from
>> workstation [XXX]
>> [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(132)
>>    attempting to make a user_info for komanek (komanek)
>> [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(142)
>>    making strings for komanek's user_info struct
>> [2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(184)
>>    making blobs for komanek's user_info struct
>> [2005/05/26 09:50:15, 10] auth/auth_util.c:make_user_info(200)
>>    made an encrypted user_info for komanek (komanek)
>> [2005/05/26 09:50:15, 3] auth/auth.c:check_ntlm_password(219)
>>    check_ntlm_password:  Checking password for unmapped user
>> [XXX.NATUR.CUNI.CZ]\[komanek]@[XXX] with the new password interface
>> [2005/05/26 09:50:15, 3] auth/auth.c:check_ntlm_password(222)
>>    check_ntlm_password:  mapped user is: [XXX]\[komanek]@[XXX]
>> [2005/05/26 09:50:15, 10] auth/auth.c:check_ntlm_password(231)
>>
>>
>>
>> What should I do to make the kerberos authentication in samba working ?
>>
>> Thanks in advance,
>>
>>    David Komanek
>>
>
>
> !DSPAM:4295d7a65226431949030793!
>