[Samba] Changing password in PDC using a pre-hashed value
Rowland Penny
rowlandpenny at googlemail.com
Tue Nov 25 09:18:04 MST 2014
On 25/11/14 16:08, Emond Papegaaij wrote:
> On Tue, Nov 25, 2014 at 4:35 PM, Rowland Penny
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>
> On 25/11/14 15:21, Emond Papegaaij wrote:
>
> On Tuesday, November 25, 2014 03:12:31 PM Rowland Penny wrote:
> <cut>
>
> Kerberos -- Kerberos -- Kerberos
>
> <cut>
>
> And just in case you haven't got it yet -- *KERBEROS*
>
> Ok, you seem very confident that Kerberos can solve our
> problems :) I'll dive
> into it. Thanks for the help so far.
>
> OK, just forget how you do it now, just think 'I need to do this,
> can I do with Active Directory and if so how' and I am very sure
> that you will find that it will be easier with AD and Kerberos.
> When you search the internet, search with 'Active Directory', some
> of the answers will refer to windows, but you should be able to
> get gist from them.
>
>
> I've read some articles about Kerberos, and do have some questions
> about it. From what I've read, Kerberos requires the client to be part
> of the domain and the client application needs to support the
> authentication scheme. Both are not possible in our case. For example:
> I need to perform maintenance on a server, but only have my smartphone
> (android or ios). I now need to somehow connect to the server using
> RDP on my phone, but my phone is not in the domain, nor has the client
> support for Kerberos. Another client that does not seem to support
> Kerberos is Chrome, the browser used by most coworkers, especially
> when running Ubuntu. Can I authenticate against a Kerberos service
> from my Ubuntu laptop without installing and configuring kinit?
Oh come on, you cannot be serious, you cannot expect to properly
administrate *any* server from a smartphone. =-O
As for Chrome, it looks like it is possible, see here:
http://www.chromium.org/developers/design-documents/http-authentication
>
> Also, we need to manage servers across several locations. These
> servers are not in the same domain. We plan to setup a Samba instance
> per location.
>
Use 'sites', remember this is AD not Unix.
> Did I misunderstand Kerberos, or is this how it works?
>
Yes you have misunderstood Kerberos and yes it is how it works.
Rowland
> Best regards,
> Emond Papegaaij
More information about the samba
mailing list