[Samba] Samba - Kerberos delegation support
Andrew Bartlett
abartlet at samba.org
Fri Dec 28 21:30:35 MST 2012
On Thu, 2012-12-20 at 11:06 +0000, Touretsky, Gregory wrote:
> Hi,
>
> We're implementing RPCSEC_GSS with authentication against AD in our NFSv3 environment.
> Our Windows users use Samba to access NFS storage from their laptops.
> What would be the best way to configure Samba to "forward" the credentials from Windows laptop to be able to access NFS on user's behalf?
> I saw some notes about Kerberos delegation in Samba 4 - is it ready for production use? Any experience with this capability in NFS/Kerberos environment?
It may be possible to extend Samba to support this, but at the moment it
is not supported.
We do have a much more mature GSSAPI stack in Samba 4.0, across the
codebase, and we use that to forward kerberos credentials in the CIFS
and DCE/RPC proxy code, but so far we don't use it in the normal file
server.
You would also need to find a way to initiate the NFS mount from Samba,
and pass it the credentials in the form of a krb5 ccache.
In short, it would be a development project, but the code in Samba 4.0
would do it much better than the old code.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list