[Samba] Kerberos as a password backend

Andrew Bartlett abartlet at samba.org
Wed Sep 8 22:54:41 MDT 2010

On Wed, 2010-09-08 at 00:07 +0930, Indexer wrote:
> Hash: SHA1
> Hi,
> After a bit of research and sniffing about, I am curious as to what it would take to run Samba3 with kerberos (MIT or Hemidal) as the password backend
> http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/s1-samba-servers.html Shows how you can use share mode ADS, with krb5 auth. Is it possible to use any KDC as the "password server = linux.kdc" , and if so, is there a way to generate the needed host / service principals for the samba server to "fool" samba into thinking it is part of an AD setup? What principals would they be? 

The 'password server' command refers to either a CIFS server on which to
conduct a 'man in the middle' attack on the NTLM authentication stream,
when security=server, or the DC to contact when 'security=domain'.  It
is not relevant to Kerberos authentication, which relies instead on a
local stored keytab or password, shared with the KDC.

You can set up Samba to accept tickets issued somehow to your clients by
an MIT or Heimdal KDC.  See 'kerberos method' in your smb.conf for the

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20100909/62b44033/attachment.pgp>

More information about the samba mailing list