[Samba] Can windows clients get kerberos tickets from samba3 PDC?

Mon Dec 1 10:48:27 MST 2014

On 12/01/14 12:30, Tiit Kaeeli wrote:
> On Mon, 1 Dec 2014, Gaiseric Vandal wrote:
>
>> On 12/01/14 11:17, Tiit Kaeeli wrote:
>>>> Is it possible for windows clients to authenticate against kerberos 
>>>> and receive tickets from a Samba3 PDC, when kerberos server is MIT 
>>>> kerberos running on a Linux server, not a Windows AD server?
>>>>
>>>> https://help.ubuntu.com/community/Samba/Kerberos
>>>> Suggests that this may be possible and I can succesfully 
>>>> authenticate with smbclient -k. But windows users do not receive 
>>>> tickets on domain login. At least kerbtray from Windows server 2003 
>>>> resource kit tools do not show them on windows7 client.
>>>>
>>>> I have not found a definitive statement that it is not possible, 
>>>> nor any more detailed documentation on how this can be done.
>>>>
>>>> So can this be done or not?
>>>>
>>>> Where to find documentation?
>>>> How to get more detailed logging and find out why it is not working?
>>>>
>>>> Can this be done with samba4 with external MIT kerberos?
>>>>
>>>> Thanks.
>>>>
>>>
>>> Any ideas?
>>>
>>>
>>
>>
>> Samba 3.x is a "classic" (NT4-type ) domain using NTLM 
>> authentication.  I would suspect that using "smbclient -k" would only 
>> be useful if you were NOT trying to configure your Linux machine as 
>> part of a Windows domain.      For Windows, the kerberos auth is only 
>> useful if you don't have a windows domain but you are trying to 
>> centralize authentication.   I believe in this case you still have to 
>> define the users on the windows machine anyway.
>>
>>
>> What is the goal?   To have a single password for linux and windows 
>> users?
>
> The goal is to get kerberos tickets to windows clients, so that they 
> can be used to SSO to other services.
>
>
>>
>> I have been tinkering with MIT  kerberos for unix clients. Currently 
>> I user Samba 3.x for windows users.  Samba the same LDAP backend that 
>> is used for unix clients.      Each user LDAP entry has the user 
>> name, unix password and samba password. Since Samba has a password 
>> sync script, unix  users change passwords with the "smbpasswd" 
>> command (not passwd) so that the windows and unix passwords stay in 
>> sync.  I can also configure client machines to use kerberos 
>> passwords, although the kerberos passwords currently do not sync with 
>> the LDAP unix and samba passwords.
>
> Same here. Plus I got kerberos passwords in sync with others using
> http://labs.opinsys.com/blog/2010/05/05/smbkrb5pwd-password-syncing-for-openldap-mit-kerberos-and-samba/ 
>
>
>
>>
>>
>> As far as I can tell, Samba 4 does not support MIT kerberos. At this 
>> point, I am serious considering migrating my domain controllers to 
>> Windows 2008/2012 while keeping Samba for the file servers.    Either 
>> way, I have to abandon the MIT kerberos server.
>
> Yes, currently samba 4 does not support MIT kerberos. It is in
> https://wiki.samba.org/index.php/Roadmap#Active_Directory_Server
> Is there any estimate for it?
>
>
> One more bit is unclear for me. If I install Samba4, it will come with 
> a dedicated built-in Heimdal Kerberos server. Can this kerberos server 
> be used directly by Linux kerberos clients, should all access be done 
> through samba, or must there be a separate kerberos server for Linux 
> clients? If the last is true, how should the two kerberos servers be 
> kept in sync?
>
> For LDAP, it seems to be the last option (Two ldap servers, 
> synchronization is managed by PAM). Is it so?
>
> We do not have and will not have any windows servers. So the options are:
>
> 1. Find a way to get kerberos tickets to windows clients using Samba3
> 2. Drop MIT kerberos and go for Samba4 and Heimdal kerberos
> 3. Use Heimdal kerberos for Samba4 and MIT kerberos for Linux
> 4. Wait until Samba4 MIT kerberos support is ready.
>
>

My understanding is that with Heimdal vs MIT, the library API's are not 
compatible.      However, the "wire" data (e.g. user authentication, 
getting tickets etc) is.  So  if you have a fedora system, which bundled 
MIT kerberos,  and you want to use that as a Samba 4 AD DC, you need  
uninstall the MIT Kerberos libraries and recompile Samba 4 from scratch 
with any Heimdal dependencies.

However, your  clients should be OK as is.  I configured a Linux client 
to authenticate against a Windows 2008 AD DC with no problem.         I 
have not tried using Samba 4 or Windows 2008 DC as a full functioned 
LDAP server.    You would still be able to configure your linux client 
to use kerberos for authentication and LDAP for everything else.   You 
would have to manually add the same uid in both LDAP and kerberos 
everytime you have a new user or computer account.      But you won't 
need two kerberos setups.

Samba 3 will eventually be end-of-lifed so I think migrating from Samba 
3 should be part of your long term plans anyway.  I just don't see how 
option 1 is practical if even possible.

Are you actually trying to achieve true  Single Sign On (where you logon 
once to all resources) or a single password for all resources?    When I 
log into a unix or windows system, I still need to log in the company 
intranet BUT at least it is the same user name and password as it uses 
the same LDAP backend.