[Samba] MIT KDC for Samba authentication?

Andrew Bartlett abartlet at samba.org
Wed Jan 18 12:30:54 GMT 2006

On Wed, 2006-01-18 at 14:47 +1100, HAND,Nathan wrote:
> Hi Samba Users,
> I have Samba providing shares to several XP clients. The clients
> currently authenticate using private/smbpasswd. I do not have an Active
> Directory server nor any Windows servers.
> I also have an MIT KDC. Various services have been Kerberised including
> SSH (proper GSSAPI negotiation) and Apache (Basic auth). This is all
> functioning correctly. The Apache login and SSH logins from the XP
> clients obviously are not SSO. 
> I want the Samba software to use Kerberos authentication as well.
> However it won't be possible for the XP clients to contact the KDC so
> the Samba server will need to receive the username/password in plaintext
> and contact the KDC. I appreciate that this won't be SSO and I also
> appreciate that it's not the proper way to do things. I simply want to
> replace private/smbpasswd with the KDC to avoid duplicating the
> username/passwords.

So you want to trade security for password sync?

> I have followed these instructions from the mail archives.
>   http://lists.samba.org/archive/samba-technical/2005-March/040065.html
> I have placed the following into the global section of smb.conf
>   security = ads

You can only use this if you have an ADS server.  Try security=user for
a start.

>   realm = MYDOMAIN.COM.AU
>   encrypt passwords = yes
>   use kerberos keytab = yes
>   password server = mykdc.mydomain.com.au

This option doesn't refer to a KDC.

> I have also created a principal
> cifs/smbserver.mydomain.com.au at MYDOMAIN.COM.AU and placed that into
> /etc/krb5/krb5.keytab on smbserver. That is the location used by the MIT
> libraries; I have Apache keys in there that are used by mod_auth_kerb.
> When I try to connect using smbclient, entering my Kerberos password
> when prompted.
>   smbclient // -U nathanh -W MYDOMAIN.COM.AU -d 4
> I get the following error message in log.smbd.
>   [2006/01/18 14:13:58, 2] auth/auth.c:check_ntlm_password(317)
>   check_ntlm_password:  Authentication for user [nathanh] -> [nathanh]

You need to kinit first, and then use the -k option. 

> Is what I'm trying to do a supported configuration? The documentation
> typically refers to using an existing Win2k or Win2k3 ADS server but I
> have neither of those. The documentation also suggests creating an ADS
> DC with Samba. 

This is Samba4, which isn't in a production release yet.

> That's no good to me because the XP clients won't (can't)
> have IP connectivity to the KDC. 

Why not?

> I just want the Samba server to use the
> KDC for the verification of the username/password pairs rather than
> checking the private/smbpasswd file.
> Possible? Impossible? Are the NTLM encrypted passwords from the XP
> client going to trip me up here? I can possibly change registry keys on
> the XP clients to emit plaintext, if that's the only way this is going
> to work.

That is certainly the only way this could possibly work, if you cannot
talk kerberos between the XP machines and the KDC.  Look into pam_krb5
for a possible plaintext solution, but it really isn't a good idea...

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20060118/80c48666/attachment.bin

More information about the samba mailing list