[Samba] Kerberos authentication for non-windows KDCs
Sean P. Elble
elbles at sessys.com
Wed Mar 12 22:38:35 GMT 2008
On Wed, 12 Mar 2008, Jeremy Allison wrote:
> On Wed, Mar 12, 2008 at 11:07:28PM +0100, Olivier Sessink wrote:
>> Jeremy Allison wrote:
>>
>>> That's just not true. Many people are successfully using Samba3 to
>>> authenticate
>>> with tokens from MIT or Heimdal kerberos servers.
>>> The problem is getting the Windows clients to *get* these tickets, not in
>>> Samba interpreting them.
>>
>> Is 'getting' or 'using' the kerberos ticket the problem?
>>
>> One can install MIT kerberos on windows, and I suppose getting the tickets
>> from an MIT KDC should be possible then, but will the cifs stack in windows
>> actually use those tickets?
>
> In this case - using. MS have a whitepaper on using Windows clients
> with MIT kerberos, but you have to have stand-alone accounts on
> individual machines - not domain accounts. It's completely useless
> and non-scalable in the real world.
>
> When they change this I'll start to believe the "interoperability"
> line...
First off, my apologies for supplying some incorrect information. I had no
idea Samba was capable of accepting Kerberos tickets, which is a nice
feature to have.
That said, this is the problem I have run into with my attempt to learn
how to combine Samba, OpenLDAP, and Kerberos. It's not terribly difficult
to integrate the three, but the Holy Grail of using MIT Kerberos (or
Kerberos of any variety, really) on Windows as a member of a Samba
domain to authenticate to a Samba server seems to be something we will only
see with Samba 4. Please correct me if I am wrong in saying that, but that
is how it has appeared to me for quite some time.
And once again, my apologies for the incorrect information. My mind always
thinks Windows is the client, and Samba is the server, ignoring other
possible configurations for no real good reason. :-)
> Jeremy.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
> ________________________________________________________________________
> SES Computer Systems Anti-Virus and Anti-Spam E-Mail Filtering
> Powered By ClamAV & SpamAssassin
>
________________________________________________________________________
SES Computer Systems Anti-Virus and Anti-Spam E-Mail Filtering
Powered By ClamAV & SpamAssassin
More information about the samba
mailing list