On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote: > On Sat, Apr 10, 2004 at 12:09:49PM +0200, Sensei wrote: > > Hi. > > > > I've built an afs cell, a kerberos kdc, an openldap server, all > > kerberized. Now all linux clients can login on the cell using k5 > > authentication, finding informations about their home dirs with ldap. > > Their home reside on the afs cell, which allows r/w access since it > > releases a token from the k5 ticket. All macosx clients can login as > > well... but what about windows? ^___^;;; > > > > I've been sent here from a kerberos group, telling me samba could be > > useful. > > > > I'd like to avoid creating windows users on every windows client... and > > I know I can set up an AD server, creating users on kerberos/afs/ldap > > AND the same users on AD... quite long... > > > > Is samba of any use? Can I grant tickets and tokens via samba, mapping > > windows home directories on the afs home dir? This information can be > > retrieved from openldap... > > Samba cannot use the kerberos tickets directly - not unless the KDC is > Active Directory (for now). But it is possible for Samba to use the > same password store. (For NTLM, but not kerberos passwords) > > What is your KDC? MIT or Heimdal? Are you using the Heimdal LDAP backend? > > If you are running Heimdal, what version? Could you run a current snapshot? > > While the work is still new, there is support in Heimdal to read Samba > password entries in LDAP. There is also an OpenLDAP plugin to set > both Samba and Kerberos passwords on password change. > > You would need to manually edit your LDAP database, to expose the > passwords in 'Samba' format - potentially a dump and restore of the > Heimdal entries might do it, if the sambaSamAccount objectClass was > added, and you used a current snapshot. So doing it this way means that you do not need to modify samba in any way?
Cool! Tarjei > > (The type 23 arcfour-hmac-md5 enctype is the Samba NT password) > > Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
