[Samba] Windows client and kerberos without ADS
skander2 at gmail.com
Fri Nov 11 10:00:03 GMT 2005
I am doing some tests for an SSO for our Windows workstations using
Kerberos without ADS.
So far, Windows client can obtain the ticket from the Heimdal KDC and
it's possible to login to SSH servers using Vintela Putty.
I am now trying to use the Kerberos credentials to access Samba shares.
I can mount the shares using my Kerberos tickets from a Linux and I see
the service ticket for cifs/FQDN but it doesn't work from Windows.
When connecting to a share I can see that the negotiation phase offers
Kerberos 5, MS Kerberos and NTLM. The Linux client choose Kerberos but
Windows choose NTLM and prompt for a login/password.
Is there a way to remove the NTLM from the nego phase on the Samba side
or to force Windows to try Kerberos first on the client side ?
Heimdal 0.6.3 with the host/FQDN and cifs/FQDN principals in the db
Samba 3.0.20b-2 with
security = users
use kerberos keytab = yes
More information about the samba