[Samba] Forcing Windows Kerberos tickets be used for authentication
to a samba share
Thomas Glanzmann
thomas at glanzmann.de
Wed May 6 13:54:55 GMT 2009
Hello,
I used
net ads join createcomputer="OU=Computer,OU=ErlF,OU=UNIX,OU=_CentralServices,DC=ww004,DC=glanzmann,DC=net" -W WW004 -U adglth0a
to join a samba machine to an active directory. Now I would like to
configure in a way that windows clients use a cifs/hostname kerberos
ticket to authenticate to the machine. I tried the following settings:
[global]
workgroup = WW004
netbios name = ad027088pc
server string = SMB Server
; security = DOMAIN
security = ADS
encrypt passwords = true
; use kerberos keytab = true
realm = WW004.SIEMENS.NET
ldap suffix = dc=ww004,dc=glanzmann,dc=net
ldap ssl = No
client lanman auth = no
client ntlmv2 auth = no
client use spnego = yes
restrict anonymous = 2
log level = 2
preferred master = No
local master = No
domain master = No
os level = 0
directory mask = 0775
oplocks = No
kernel oplocks = No
level2 oplocks = No
invalid users = root, broot
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
create mask = 0775
browseable = No
[homes]
comment = All UNIX Home Directories
browseable = No
public = No
writable = Yes
But that didn't help. What is interesting though that when I unjoin the
machine from AD and try to connect I see when I list the windows
kerberos tickets using ,,klist tickets'' a ticket for the service
principal cifs/hostname even if that service principal is not registered
to any account in the active directory at that time.
This is with samba version 2:3.2.5-4lenny2 running on Debian Lenny.
Thomas
More information about the samba
mailing list