[Samba] Changing password in PDC using a pre-hashed value

Rowland Penny rowlandpenny at googlemail.com
Tue Nov 25 09:18:04 MST 2014 

On 25/11/14 16:08, Emond Papegaaij wrote:
> On Tue, Nov 25, 2014 at 4:35 PM, Rowland Penny 
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>
>     On 25/11/14 15:21, Emond Papegaaij wrote:
>
>         On Tuesday, November 25, 2014 03:12:31 PM Rowland Penny wrote:
>         <cut>
>
>             Kerberos -- Kerberos -- Kerberos
>
>         <cut>
>
>             And just in case you haven't got it yet -- *KERBEROS*
>
>         Ok, you seem very confident that Kerberos can solve our
>         problems :) I'll dive
>         into it. Thanks for the help so far. 
>
>     OK, just forget how you do it now, just think 'I need to do this,
>     can I do with Active Directory and if so how' and I am very sure
>     that you will find that it will be easier with AD and Kerberos.
>     When you search the internet, search with 'Active Directory', some
>     of the answers will refer to windows, but you should be able to
>     get gist from them.
>
>
> I've read some articles about Kerberos, and do have some questions 
> about it. From what I've read, Kerberos requires the client to be part 
> of the domain and the client application needs to support the 
> authentication scheme. Both are not possible in our case. For example: 
> I need to perform maintenance on a server, but only have my smartphone 
> (android or ios). I now need to somehow connect to the server using 
> RDP on my phone, but my phone is not in the domain, nor has the client 
> support for Kerberos. Another client that does not seem to support 
> Kerberos is Chrome, the browser used by most coworkers, especially 
> when running Ubuntu. Can I authenticate against a Kerberos service 
> from my Ubuntu laptop without installing and configuring kinit?

Oh come on, you cannot be serious, you cannot expect to properly 
administrate *any* server from a smartphone. =-O

As for Chrome, it looks like it is possible, see here: 
http://www.chromium.org/developers/design-documents/http-authentication

>
> Also, we need to manage servers across several locations. These 
> servers are not in the same domain. We plan to setup a Samba instance 
> per location.
>

Use 'sites', remember this is AD not Unix.

> Did I misunderstand Kerberos, or is this how it works?
>

Yes you have misunderstood Kerberos and yes it is how it works.

Rowland

> Best regards,
> Emond Papegaaij

More information about the samba mailing list