Quoting Andrew Deason <[email protected]>:
On Wed, 15 Dec 2010 10:35:19 -0500
[email protected] wrote:
You used to be able to do straight krb5 auth in samba like 3.0.12 or
so was the first version to support it and if you want me to look
-somewhere- I have a link for the "how-to". Then you could probably
do the preexec to get the token. I never actually thought about that
part. The krb5 piece worked. I tested that a long while ago like
3.0.24ish.
Samba can do krb5 auth, but you would need the client to forward
tickets, too, in order to get tokens. I find it less likely that Samba
can do that, but I do not really know; maybe it can.
This isnt the how-to I found but from the list..
With MIT Kerberos, you need to put the following settings in
smb.conf:
realm = KERBEROS.REALM.NAME
security = ads
encrypt passwords = yes
use kerberos keytab = yes
and to add the appropriate service principals in /etc/krb5.keytab. Which
service principals are appropriate is something of a black art, because
Windows clients think that principal names are case-insensitive. You will
probably need to add
serv...@realm
host/server.example.com at REALM
cifs/server.example.com at REALM
plus some case variations such as
HOST/server.example.com at REALM
host/SERVER.example.com at REALM
You can easily see which service principal a Windows client is requesting
by using Ethereal to capture the traffic between the Windows client and
the KDC.
You'll need at least Samba 3.0.11 to avoid a segfault when the client
connects. Current SVN has a patch that makes Samba accept any case
combination in the Kerberos principal name; previously it would accept
only a few variations.
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
