On Fri, 2003-01-03 at 11:39, Steve Langasek wrote: > On Thu, Jan 02, 2003 at 06:28:48PM -0600, Kenneth Stephen wrote: > > > > ADS-style Kerberos support only works when both client and server are > > > Kerberos-aware, so such Kerberos "encrypted passwords" support would be > > > limited to Win2K and WinXP clients. This is a question of technical > > > feasibility, not of implementation. > > > Not sure what this means. If I run the Samba server on the same > > machine as a server which understood Kerberos authentication (for example, > > AIX 5.1 with a DCE based KDC), would that qualify? What about the > > extra info that Microsoft stuffs into the Kerberos protocol that I've > > heard Win client _need_? I need Samba working with a non-Microsoft KDC. > > Windows *clients* don't need the extra data; it's only Windows *servers* > that need the data -- however, note that I'm using "server" in the sense > of "anything that provides a service", which would include a workstation > providing login services for members of your Kerberos realm. If your > Samba server doesn't need to provide domain auth services for > workstation logins, you don't need to worry about the Microsoft PAC. > AFAIK, Samba-as-a-fileserver doesn't even *support* using the PAC yet; > it gets its group information from other, more Unix-y sources. > > As for running Samba on a server that understands Kerberos > authentication, even that is not required; you can easily run Samba as > your only Kerberos-enabled application on a given machine (well, > "easily" assuming you know how to go about setting up Kerberos).
And telling Samba about that machine's keytab. Currently Samba needs to know the original plaintext password for the machine. It's been on my todo for a while - a long while... Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
