[Samba] Windows client and kerberos without ADS

Skander skander2 at gmail.com
Fri Nov 11 10:00:03 GMT 2005


Hello all,

I am doing some tests for an SSO for our Windows workstations using
Kerberos without ADS.
So far, Windows client can obtain the ticket from the Heimdal KDC and
it's possible to login to SSH servers using Vintela Putty.


I am now trying to use the Kerberos credentials to access Samba shares.

I can mount the shares using my Kerberos tickets from a Linux and I see
the service ticket for cifs/FQDN but it doesn't work from Windows.


When connecting to a share I can see that the negotiation phase offers
Kerberos 5, MS Kerberos and NTLM. The Linux client choose Kerberos but
Windows choose NTLM and prompt for a login/password.

Is there a way to remove the NTLM from the nego phase on the Samba side
or to force Windows to try Kerberos first on the client side ?

Config:
Debian unstable

Heimdal 0.6.3 with the host/FQDN and cifs/FQDN principals in the db

Samba 3.0.20b-2 with
security = users

use kerberos keytab = yes

Thanks !


More information about the samba mailing list