[Samba] MIT KDC for Samba authentication?
abartlet at samba.org
Wed Jan 18 12:30:54 GMT 2006
On Wed, 2006-01-18 at 14:47 +1100, HAND,Nathan wrote:
> Hi Samba Users,
> I have Samba providing shares to several XP clients. The clients
> currently authenticate using private/smbpasswd. I do not have an Active
> Directory server nor any Windows servers.
> I also have an MIT KDC. Various services have been Kerberised including
> SSH (proper GSSAPI negotiation) and Apache (Basic auth). This is all
> functioning correctly. The Apache login and SSH logins from the XP
> clients obviously are not SSO.
> I want the Samba software to use Kerberos authentication as well.
> However it won't be possible for the XP clients to contact the KDC so
> the Samba server will need to receive the username/password in plaintext
> and contact the KDC. I appreciate that this won't be SSO and I also
> appreciate that it's not the proper way to do things. I simply want to
> replace private/smbpasswd with the KDC to avoid duplicating the
So you want to trade security for password sync?
> I have followed these instructions from the mail archives.
> I have placed the following into the global section of smb.conf
> security = ads
You can only use this if you have an ADS server. Try security=user for
> realm = MYDOMAIN.COM.AU
> encrypt passwords = yes
> use kerberos keytab = yes
> password server = mykdc.mydomain.com.au
This option doesn't refer to a KDC.
> I have also created a principal
> cifs/smbserver.mydomain.com.au at MYDOMAIN.COM.AU and placed that into
> /etc/krb5/krb5.keytab on smbserver. That is the location used by the MIT
> libraries; I have Apache keys in there that are used by mod_auth_kerb.
> When I try to connect using smbclient, entering my Kerberos password
> when prompted.
> smbclient //188.8.131.52/sharename -U nathanh -W MYDOMAIN.COM.AU -d 4
> I get the following error message in log.smbd.
> [2006/01/18 14:13:58, 2] auth/auth.c:check_ntlm_password(317)
> check_ntlm_password: Authentication for user [nathanh] -> [nathanh]
> FAILED with error NT_STATUS_NO_LOGON_SERVERS
You need to kinit first, and then use the -k option.
> Is what I'm trying to do a supported configuration? The documentation
> typically refers to using an existing Win2k or Win2k3 ADS server but I
> have neither of those. The documentation also suggests creating an ADS
> DC with Samba.
This is Samba4, which isn't in a production release yet.
> That's no good to me because the XP clients won't (can't)
> have IP connectivity to the KDC.
> I just want the Samba server to use the
> KDC for the verification of the username/password pairs rather than
> checking the private/smbpasswd file.
> Possible? Impossible? Are the NTLM encrypted passwords from the XP
> client going to trip me up here? I can possibly change registry keys on
> the XP clients to emit plaintext, if that's the only way this is going
> to work.
That is certainly the only way this could possibly work, if you cannot
talk kerberos between the XP machines and the KDC. Look into pam_krb5
for a possible plaintext solution, but it really isn't a good idea...
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20060118/80c48666/attachment.bin
More information about the samba