[Samba] MIT KDC for Samba authentication?

HAND,Nathan Nathan.HAND at dewr.gov.au
Wed Jan 18 03:47:24 GMT 2006

Hi Samba Users,

I have Samba providing shares to several XP clients. The clients
currently authenticate using private/smbpasswd. I do not have an Active
Directory server nor any Windows servers.

I also have an MIT KDC. Various services have been Kerberised including
SSH (proper GSSAPI negotiation) and Apache (Basic auth). This is all
functioning correctly. The Apache login and SSH logins from the XP
clients obviously are not SSO. 

I want the Samba software to use Kerberos authentication as well.
However it won't be possible for the XP clients to contact the KDC so
the Samba server will need to receive the username/password in plaintext
and contact the KDC. I appreciate that this won't be SSO and I also
appreciate that it's not the proper way to do things. I simply want to
replace private/smbpasswd with the KDC to avoid duplicating the

I have followed these instructions from the mail archives.


I have placed the following into the global section of smb.conf

  security = ads
  encrypt passwords = yes
  use kerberos keytab = yes
  password server = mykdc.mydomain.com.au

I have also created a principal
cifs/smbserver.mydomain.com.au at MYDOMAIN.COM.AU and placed that into
/etc/krb5/krb5.keytab on smbserver. That is the location used by the MIT
libraries; I have Apache keys in there that are used by mod_auth_kerb.

When I try to connect using smbclient, entering my Kerberos password
when prompted.

  smbclient // -U nathanh -W MYDOMAIN.COM.AU -d 4

I get the following error message in log.smbd.

  [2006/01/18 14:13:58, 2] auth/auth.c:check_ntlm_password(317)
  check_ntlm_password:  Authentication for user [nathanh] -> [nathanh]

Is what I'm trying to do a supported configuration? The documentation
typically refers to using an existing Win2k or Win2k3 ADS server but I
have neither of those. The documentation also suggests creating an ADS
DC with Samba. That's no good to me because the XP clients won't (can't)
have IP connectivity to the KDC. I just want the Samba server to use the
KDC for the verification of the username/password pairs rather than
checking the private/smbpasswd file.

Possible? Impossible? Are the NTLM encrypted passwords from the XP
client going to trip me up here? I can possibly change registry keys on
the XP clients to emit plaintext, if that's the only way this is going
to work.

Thanks in advance for any help.

The information contained in this e-mail message and any attached files may
be confidential information, and may also be the subject of legal
professional privilege.  If you are not the intended recipient any use,
disclosure or copying of this e-mail is unauthorised.  If you have received
this e-mail in error, please notify the sender immediately by reply e-mail
and delete all copies of this transmission together with any attachments.

More information about the samba mailing list