[Samba] Windows client and kerberos without ADS

Andrew Bartlett abartlet at samba.org
Sun Nov 13 21:12:27 GMT 2005

On Fri, 2005-11-11 at 11:00 +0100, Skander wrote:
> Hello all,
> I am doing some tests for an SSO for our Windows workstations using
> Kerberos without ADS.
> So far, Windows client can obtain the ticket from the Heimdal KDC and
> it's possible to login to SSH servers using Vintela Putty.
> I am now trying to use the Kerberos credentials to access Samba shares.
> I can mount the shares using my Kerberos tickets from a Linux and I see
> the service ticket for cifs/FQDN but it doesn't work from Windows.
> When connecting to a share I can see that the negotiation phase offers
> Kerberos 5, MS Kerberos and NTLM. The Linux client choose Kerberos but
> Windows choose NTLM and prompt for a login/password.
> Is there a way to remove the NTLM from the nego phase on the Samba side
> or to force Windows to try Kerberos first on the client side ?
> Config:
> Debian unstable
> Heimdal 0.6.3 with the host/FQDN and cifs/FQDN principals in the db

Are you connecting from the client as FQDN, or the netbios name.
windows clients are very painful in that they will not use the FQDN, nor
even alter the case of their requests.

A simple ethereal trace should show if the KDC is issuing a ticket (or
indeed if the KDC is being asked at all).

> Samba 3.0.20b-2 with
> security = users
> use kerberos keytab = yes

This should be sufficient.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20051114/3a256f72/attachment.bin

More information about the samba mailing list