On Mon, Apr 12, 2004 at 12:21:41PM +0200, Gémes Géza wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Sensei írta: > | On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote: > | > | > |>Samba cannot use the kerberos tickets directly - not unless the KDC is > |>Active Directory (for now). But it is possible for Samba to use the > |>same password store. (For NTLM, but not kerberos passwords) > |> > |>What is your KDC? MIT or Heimdal? Are you using the Heimdal LDAP > backend? > | > | > | MIT K5. The passwords are stored only in the kerberos database. > | > | > |>While the work is still new, there is support in Heimdal to read Samba > |>password entries in LDAP. There is also an OpenLDAP plugin to set > |>both Samba and Kerberos passwords on password change. > |> > |>You would need to manually edit your LDAP database, to expose the > |>passwords in 'Samba' format - potentially a dump and restore of the > |>Heimdal entries might do it, if the sambaSamAccount objectClass was > |>added, and you used a current snapshot. > | > | > | It would be nice to have just kerberos passwords. I've done this with > | ldap (sasl gssapi authentication via k5) and afs (tokens are released on > | ticket releasing). > | > | The main issue is the integrated windows login: a student must login, > | gain tickets and token, and have his windows home dir set to what ldap > | shows him: this means that afs must be enabled at boot. > | > | How would you do this? I don't have any clues... > | > I see a different solution here: > User authenticate to a Samba controled Domain, and because Samba has the > Kerberos password(=NTPassword hash) it could impersonate the user, > accting to the AFS/Coda cell on behalf of her/him. In this way Samba > could become a gateway between Windows clients and AFS/Coda servers. > Unfortunatelly I don't know how could be that implemented.
See Volker's presentation to SambaXP, and the --with-fake-kaserver option to Samba. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba