Re: [Samba] Samba 3, Win2K, and MIT KDC -- possible?

2003-01-28 Thread Andrew Bartlett 
On Fri, 2003-01-24 at 20:58, darkness wrote:
>   After setting up Samba 3 I noticed the Windows 2000 box was
> requesting a ticket from the KDC for HOST/@MYREALM.COM
> when it tried to connect to the Samba server.  I presume that W2K is
> sending the ticket it is granted along to the Samba server.  If that
> presumption is correct, is it possible to make Samba authenticate the
> user with the Kerberos ticket they present?  If so, how do I need to
> configure Samba and supporting software?
> 
>   I've got an MIT KDC set up in Linux along with OpenLDAP.
> Linux (Red Hat 8.0) is quite happily doing Kerberos authentication and
> using nss_ldap.  I've got a Windows 2000 workstation that is in a
> workgroup -- not in a domain of any sorts.  It is authenticating
> against the same MIT KDC on Linux (set up with KSETUP.EXE).  There is
> no Active Directory server on my network.  I don't really want any of
> the typical "domain" functionality; I don't mind having to create
> local user accounts for each user on the Windows machines, etc.
> 
>   I can supply log output, install strange software, CVS, more
> information on my environment, etc.  I've seen mentions in CVS of
> Andrew Tridgell connecting to smbd with smbclient and an MIT KDC in
> the middle, but no mention of whether this is possible with W2K in
> place of smbclient.  Any help greatly appreciated.

The main issue is getting Samba the password for the domain.  Once it
has the right krb5 keys, the rest should work...

Currently there is no way to set an arbitrary password, only a way to
join with the admin username/pw.  This means that Samba uses LDAP etc to
do it.  We need to add a 'net' command to set the password I think.  It
used to work - but that was in the initial stages when we didn't use our
internal secrets.tdb to store the password.

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net



signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba 3, Win2K, and MIT KDC -- possible?

2003-01-24 Thread darkness 
After setting up Samba 3 I noticed the Windows 2000 box was
requesting a ticket from the KDC for HOST/@MYREALM.COM
when it tried to connect to the Samba server.  I presume that W2K is
sending the ticket it is granted along to the Samba server.  If that
presumption is correct, is it possible to make Samba authenticate the
user with the Kerberos ticket they present?  If so, how do I need to
configure Samba and supporting software?

I've got an MIT KDC set up in Linux along with OpenLDAP.
Linux (Red Hat 8.0) is quite happily doing Kerberos authentication and
using nss_ldap.  I've got a Windows 2000 workstation that is in a
workgroup -- not in a domain of any sorts.  It is authenticating
against the same MIT KDC on Linux (set up with KSETUP.EXE).  There is
no Active Directory server on my network.  I don't really want any of
the typical "domain" functionality; I don't mind having to create
local user accounts for each user on the Windows machines, etc.

I can supply log output, install strange software, CVS, more
information on my environment, etc.  I've seen mentions in CVS of
Andrew Tridgell connecting to smbd with smbclient and an MIT KDC in
the middle, but no mention of whether this is possible with W2K in
place of smbclient.  Any help greatly appreciated.

Thanks in advance,
darkness
-- 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba