[Samba] Kerberos authentication for non-windows KDCs

Sean P. Elble elbles at sessys.com
Wed Mar 12 22:38:35 GMT 2008 

On Wed, 12 Mar 2008, Jeremy Allison wrote:

> On Wed, Mar 12, 2008 at 11:07:28PM +0100, Olivier Sessink wrote:
>> Jeremy Allison wrote:
>>
>>> That's just not true. Many people are successfully using Samba3 to
>>> authenticate
>>> with tokens from MIT or Heimdal kerberos servers.
>>> The problem is getting the Windows clients to *get* these tickets, not in
>>> Samba interpreting them.
>>
>> Is 'getting' or 'using' the kerberos ticket the problem?
>>
>> One can install MIT kerberos on windows, and I suppose getting the tickets
>> from an MIT KDC should be possible then, but will the cifs stack in windows
>> actually use those tickets?
>
> In this case - using. MS have a whitepaper on using Windows clients
> with MIT kerberos, but you have to have stand-alone accounts on
> individual machines - not domain accounts. It's completely useless
> and non-scalable in the real world.
>
> When they change this I'll start to believe the "interoperability"
> line...

First off, my apologies for supplying some incorrect information. I had no 
idea Samba was capable of accepting Kerberos tickets, which is a nice 
feature to have.

That said, this is the problem I have run into with my attempt to learn 
how to combine Samba, OpenLDAP, and Kerberos. It's not terribly difficult 
to integrate the three, but the Holy Grail of using MIT Kerberos (or 
Kerberos of any variety, really) on Windows as a member of a Samba 
domain to authenticate to a Samba server seems to be something we will only
see with Samba 4. Please correct me if I am wrong in saying that, but that 
is how it has appeared to me for quite some time.

And once again, my apologies for the incorrect information. My mind always 
thinks Windows is the client, and Samba is the server, ignoring other 
possible configurations for no real good reason. :-)

> Jeremy.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> ________________________________________________________________________
> SES Computer Systems Anti-Virus and Anti-Spam E-Mail Filtering
> Powered By ClamAV & SpamAssassin
>
________________________________________________________________________
SES Computer Systems Anti-Virus and Anti-Spam E-Mail Filtering
Powered By ClamAV & SpamAssassin

More information about the samba mailing list