[Samba] Setting up ADS in Samba with MIT kerberos mapping/backend
Steve Harper
s.harper at utah.edu
Tue Mar 18 22:35:02 GMT 2008
We here at the University of Utah have a similar setup that we are
trying to get work. We have set up a cross-realm trust between our MIT
Kerberos server and our Windows AD Domain, and all the user accounts
altSecurityIdentities map the AD users to our MIT style kerberos realm.
AD passwords are set to long random strings.
So far we have followed the guide below on the Samba wiki, with some
success but there are a few things that still do not work.
http://wiki.samba.org/index.php/Samba_%26_Active_Directory
On linux and mac workstations we can map shares on our samba server once
we have done a kinit against our kerberos realm.
kinit username at UTAH.EDU
smbclient \\sambaserver.utah.edu\SHARENAME -k
Smb shares initiated from the GUI on the Mac work ok on the Tiger
release of Mac OS X, but seem to fail on Leopard.
Other than that, it all works fine on these clients.
The problem is with the windows workstations. Workstations that are
members of the domain can logon with their MIT passwords, specifying the
kerberos realm in the GINA. Once there they can seamlessly map drives
iff they specify their (usually set to garbage) local AD passwords. All
other permutations to let the samba or windows server know that we want
to use our cross-realm trust credentials have been unsucessful thus far.
Ideally we would like to be able to map drives to these shares from
windows machines that are not even members of our AD domain.
A new option I saw that I have not had time to try out yet for the
smb.conf is
use kerberos keytab = yes
This might help the clients to succeed, or it might be useful in getting
Samba to attempt to authenticate users directly against our MIT Kerberos
server. I've still got a lot of reading and experimenting to do to see
if we can pull this together. Hopefully somebody else on this list has
already fought such a battle and emerged triumphant. But in perusing
the list archives for a few hours I have yet to see something like this.
Thanks,
Steve Harper
Center for High Performance Computing
University of Utah.
James Pulver wrote:
> So, I'm trying to figure out how to get Samba to work in this way.
> Specifically, I have a 2003 R2 AD in 2003 functional level. All user
> accounts are mapped to the same user account name @ our MIT Kerberos
> server. Users do not know their AD password.
>
> Can Samba authenticate users with their Kerberos realm passwords, and
> know to use the same user name so the UIDs match for both platforms +
> permissions?
>
> If it can, what should the smb.conf look like?
> --
> James Pulver
> Information Technology Area Supervisor
> LEPP Computer Group
> Cornell University
>
More information about the samba
mailing list