[Samba] Can windows clients get kerberos tickets from samba3 PDC?
Gaiseric Vandal
gaiseric.vandal at gmail.com
Mon Dec 1 09:42:40 MST 2014
On 12/01/14 11:17, Tiit Kaeeli wrote:
>> Is it possible for windows clients to authenticate against kerberos
>> and receive tickets from a Samba3 PDC, when kerberos server is MIT
>> kerberos running on a Linux server, not a Windows AD server?
>>
>> https://help.ubuntu.com/community/Samba/Kerberos
>> Suggests that this may be possible and I can succesfully authenticate
>> with smbclient -k. But windows users do not receive tickets on domain
>> login. At least kerbtray from Windows server 2003 resource kit tools
>> do not show them on windows7 client.
>>
>> I have not found a definitive statement that it is not possible, nor
>> any more detailed documentation on how this can be done.
>>
>> So can this be done or not?
>>
>> Where to find documentation?
>> How to get more detailed logging and find out why it is not working?
>>
>> Can this be done with samba4 with external MIT kerberos?
>>
>> Thanks.
>>
>
> Any ideas?
>
>
Samba 3.x is a "classic" (NT4-type ) domain using NTLM authentication.
I would suspect that using "smbclient -k" would only be useful if you
were NOT trying to configure your Linux machine as part of a Windows
domain. For Windows, the kerberos auth is only useful if you don't
have a windows domain but you are trying to centralize authentication.
I believe in this case you still have to define the users on the windows
machine anyway.
What is the goal? To have a single password for linux and windows users?
I have been tinkering with MIT kerberos for unix clients. Currently I
user Samba 3.x for windows users. Samba the same LDAP backend that is
used for unix clients. Each user LDAP entry has the user name, unix
password and samba password. Since Samba has a password sync
script, unix users change passwords with the "smbpasswd" command (not
passwd) so that the windows and unix passwords stay in sync. I can also
configure client machines to use kerberos passwords, although the
kerberos passwords currently do not sync with the LDAP unix and samba
passwords.
As far as I can tell, Samba 4 does not support MIT kerberos. At this
point, I am serious considering migrating my domain controllers to
Windows 2008/2012 while keeping Samba for the file servers. Either
way, I have to abandon the MIT kerberos server.
More information about the samba
mailing list