[Samba] Setting up ADS in Samba with MIT kerberos mapping/backend

[James Pulver]

Speaking to the kinit, maybe there's a free file manager for windows
that would interop with MIT Leash for passing the ticket to samba? I'm
able to get putty and WinSCP for instance to work with the Network
Identity Manager...

I'm debating dropping samba, and trying again for either a different
file system (AFS or NFS on windows) or having to switch around to using
AD as central authentication (which I'd rather not do).
--
James Pulver
Information Technology Area Supervisor
LEPP Computer Group
Cornell University



Steve Harper wrote:
> We here at the University of Utah have a similar setup that we are 
> trying to get work.  We have set up a cross-realm trust between our MIT 
> Kerberos server and our Windows AD Domain, and all the user accounts 
> altSecurityIdentities map the AD users to our MIT style kerberos realm. 
>   AD passwords are set to long random strings.
> 
> So far we have followed the guide below on the Samba wiki, with some 
> success but there are a few things that still do not work.
> 
> http://wiki.samba.org/index.php/Samba_%26_Active_Directory
> 
> On linux and mac workstations we can map shares on our samba server once 
> we have done a kinit against our kerberos realm.
> 
> kinit username at UTAH.EDU
> smbclient \\sambaserver.utah.edu\SHARENAME -k
> 
> Smb shares initiated from the GUI on the Mac work ok on the Tiger 
> release of Mac OS X, but seem to fail on Leopard.
> 
> Other than that, it all works fine on these clients.
> 
> The problem is with the windows workstations.  Workstations that are 
> members of the domain can logon with their MIT passwords, specifying the 
> kerberos realm in the GINA.  Once there they can seamlessly map drives 
> iff they specify their (usually set to garbage) local AD passwords.  All 
> other permutations to let the samba or windows server know that we want 
> to use our cross-realm trust credentials have been unsucessful thus far. 
>  Ideally we would like to be able to map drives to these shares from 
> windows machines that are not even members of our AD domain.
> 
> A new option I saw that I have not had time to try out yet for the 
> smb.conf is
> use kerberos keytab = yes
> 
> This might help the clients to succeed, or it might be useful in getting 
> Samba to attempt to authenticate users directly against our MIT Kerberos 
> server.  I've still got a lot of reading and experimenting to do to see 
> if we can pull this together.  Hopefully somebody else on this list has 
> already fought such a battle and emerged triumphant.  But in perusing 
> the list archives for a few hours I have yet to see something like this.
> 
> Thanks,
> Steve Harper
> Center for High Performance Computing
> University of Utah.
> 
> James Pulver wrote:
>> So, I'm trying to figure out how to get Samba to work in this way. 
>> Specifically, I have a 2003 R2 AD in 2003 functional level. All user 
>> accounts are mapped to the same user account name @ our MIT Kerberos 
>> server. Users do not know their AD password.
>>
>> Can Samba authenticate users with their Kerberos realm passwords, and 
>> know to use the same user name so the UIDs match for both platforms + 
>> permissions?
>>
>> If it can, what should the smb.conf look like?
>> -- 
>> James Pulver
>> Information Technology Area Supervisor
>> LEPP Computer Group
>> Cornell University
>>