[Samba] Can windows clients get kerberos tickets from samba3 PDC?

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Dec 1 09:42:40 MST 2014 

On 12/01/14 11:17, Tiit Kaeeli wrote:
>> Is it possible for windows clients to authenticate against kerberos 
>> and receive tickets from a Samba3 PDC, when kerberos server is MIT 
>> kerberos running on a Linux server, not a Windows AD server?
>>
>> https://help.ubuntu.com/community/Samba/Kerberos
>> Suggests that this may be possible and I can succesfully authenticate 
>> with smbclient -k. But windows users do not receive tickets on domain 
>> login. At least kerbtray from Windows server 2003 resource kit tools 
>> do not show them on windows7 client.
>>
>> I have not found a definitive statement that it is not possible, nor 
>> any more detailed documentation on how this can be done.
>>
>> So can this be done or not?
>>
>> Where to find documentation?
>> How to get more detailed logging and find out why it is not working?
>>
>> Can this be done with samba4 with external MIT kerberos?
>>
>> Thanks.
>>
>
> Any ideas?
>
>


Samba 3.x is a "classic" (NT4-type ) domain using NTLM authentication.  
I would suspect that using "smbclient -k"  would only be useful if you 
were NOT trying to configure your Linux machine as part of a Windows 
domain.      For Windows, the kerberos auth is only useful if you don't 
have a windows domain but you are trying to centralize authentication.   
I believe in this case you still have to define the users on the windows 
machine anyway.


What is the goal?   To have a single password for linux and windows users?

I have been tinkering with MIT  kerberos for unix clients. Currently I 
user Samba 3.x for windows users.  Samba the same LDAP backend that is 
used for unix clients.      Each user LDAP entry has the user name, unix 
password and samba password.      Since Samba has a password sync 
script, unix  users change passwords with the "smbpasswd" command (not 
passwd) so that the windows and unix passwords stay in sync.  I can also 
configure client machines to use kerberos passwords, although the 
kerberos passwords currently do not sync with the LDAP unix and samba 
passwords.


As far as I can tell, Samba 4 does not support MIT kerberos. At this 
point, I am serious considering migrating my domain controllers to 
Windows 2008/2012 while keeping Samba for the file servers.    Either 
way, I have to abandon the MIT kerberos server.

More information about the samba mailing list