Re: [Samba] Kerberos authentication for non-windows KDCs

Wed, 12 Mar 2008 15:40:56 -0700 

On Wed, 12 Mar 2008, Jeremy Allison wrote:


On Wed, Mar 12, 2008 at 11:07:28PM +0100, Olivier Sessink wrote:

Jeremy Allison wrote:


That's just not true. Many people are successfully using Samba3 to
authenticate
with tokens from MIT or Heimdal kerberos servers.
The problem is getting the Windows clients to *get* these tickets, not in
Samba interpreting them.


Is 'getting' or 'using' the kerberos ticket the problem?

One can install MIT kerberos on windows, and I suppose getting the tickets
from an MIT KDC should be possible then, but will the cifs stack in windows
actually use those tickets?


In this case - using. MS have a whitepaper on using Windows clients
with MIT kerberos, but you have to have stand-alone accounts on
individual machines - not domain accounts. It's completely useless
and non-scalable in the real world.

When they change this I'll start to believe the "interoperability"
line...
First off, my apologies for supplying some incorrect information. I had no idea Samba was capable of accepting Kerberos tickets, which is a nice feature to have.
That said, this is the problem I have run into with my attempt to learn how to combine Samba, OpenLDAP, and Kerberos. It's not terribly difficult to integrate the three, but the Holy Grail of using MIT Kerberos (or Kerberos of any variety, really) on Windows as a member of a Samba domain to authenticate to a Samba server seems to be something we will only see with Samba 4. Please correct me if I am wrong in saying that, but that is how it has appeared to me for quite some time.
And once again, my apologies for the incorrect information. My mind always thinks Windows is the client, and Samba is the server, ignoring other possible configurations for no real good reason. :-) 


Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
________________________________________________________________________
SES Computer Systems Anti-Virus and Anti-Spam E-Mail Filtering
Powered By ClamAV & SpamAssassin


________________________________________________________________________
SES Computer Systems Anti-Virus and Anti-Spam E-Mail Filtering
Powered By ClamAV & SpamAssassin
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to