On Mon, Apr 12, 2004 at 12:05:24PM +0200, Sensei wrote: > On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote: > > > Samba cannot use the kerberos tickets directly - not unless the KDC is > > Active Directory (for now). But it is possible for Samba to use the > > same password store. (For NTLM, but not kerberos passwords) > > > > What is your KDC? MIT or Heimdal? Are you using the Heimdal LDAP backend? > > MIT K5. The passwords are stored only in the kerberos database.
That is a pity. > > While the work is still new, there is support in Heimdal to read Samba > > password entries in LDAP. There is also an OpenLDAP plugin to set > > both Samba and Kerberos passwords on password change. > > > > You would need to manually edit your LDAP database, to expose the > > passwords in 'Samba' format - potentially a dump and restore of the > > Heimdal entries might do it, if the sambaSamAccount objectClass was > > added, and you used a current snapshot. > > It would be nice to have just kerberos passwords. I've done this with > ldap (sasl gssapi authentication via k5) and afs (tokens are released on > ticket releasing). > > The main issue is the integrated windows login: a student must login, > gain tickets and token, and have his windows home dir set to what ldap > shows him: this means that afs must be enabled at boot. > > How would you do this? I don't have any clues... Not possible for an intergrated kerberos solution at this stage - even MS doesn't do pure KRB5, all the time. VL's presentation at SambaXP was very interesting, he presented an AFS gateway scheme that works with NTLM passwords (hint: it fakes tickets ;-) You would still use NTLM, and need an NTLM compatible password store for Samba. (DC or access to password hashes) Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
