Thanks a lot. Please, are there any plans for samba communicating directly
with kdc ? And if so, when approximately ? :-) Or would it be simple to do
a hack for this ?
Thanks,
David
On Thu, 26 May 2005, Ti Leggett wrote:
The with Kerberos option is only to allow samba to authenticate to a
Microsoft Active Directory Kerberos server. You basically have two
options: keep using smbpasswd files or store the passwords in an LDAP
directory. It seems the recommended method by the Samba team is to use
LDAP. However, you can use the pam_smbpass module to keep smbpasswd
files updated with whatever other password methods you might use.
pam_smbpass does not work with LDAP stored passwords to my knowledge.
On Thu, 2005-05-26 at 10:05 +0200, David Komanek wrote:
Hi all,
this is probably VFAQ, but I never found a working solution. I have a
standalone samba server running samba ver. 3. In the network, we have
heimdal kerberos used to authenticate users for pop3,imap,web-based
applications etc. Now I would like to make the samba communicating with
kerberos kdc so there will no longer be users in smbpasswd with separate
passwords outside of kerberos.
I already compiled samba with --with-krb5 configure switch and have
following options in smb.conf:
client use spnego = yes
realm = KERBEROS.REALM.NAME
use kerberos keytab = yes
While it is heimdal's kerberos implementation, I added
default_keytab_name = FILE:/etc/krb5.keytab
to the [libdefaults] section of /etc/krb5.conf
as I saw somewhere. But this is still not working for me:
Debud on the client side:
$ smbclient -d3 -U komanek //127.0.0.1/homes
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/usr/local/lib/smb.conf"
Processing section "[global]"
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
added interface ip=a.b.c.d bcast=a.b.c.255
nmask=255.255.255.0
Client started (version 3.0.14a).
Connecting to 127.0.0.1 at port 445
Password:
Doing spnego session setup (blob length=58)
got OID=1 3 6 1 4 1 311 2 2 10
got principal=NONE
Got challenge flags:
Got NTLMSSP neg_flags=0x608a0215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60080215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60080215
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
using -k switch in smbclient disables password prompt, but in other
aspects it has the same behavior, regardless I have valid kerberos ticket
or not.
Debug on the server side:
[2005/05/26 09:50:15, 4] lib/username.c:map_username(132)
Scanning username map /usr/local/etc/samba/smbusers
[2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info_map(224)
make_user_info_map: Mapping user [XXX.NATUR.CUNI.CZ]\[komanek] from
workstation [XXX]
[2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(132)
attempting to make a user_info for komanek (komanek)
[2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(142)
making strings for komanek's user_info struct
[2005/05/26 09:50:15, 5] auth/auth_util.c:make_user_info(184)
making blobs for komanek's user_info struct
[2005/05/26 09:50:15, 10] auth/auth_util.c:make_user_info(200)
made an encrypted user_info for komanek (komanek)
[2005/05/26 09:50:15, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[EMAIL PROTECTED] with the new password interface
[2005/05/26 09:50:15, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [EMAIL PROTECTED]
[2005/05/26 09:50:15, 10] auth/auth.c:check_ntlm_password(231)
What should I do to make the kerberos authentication in samba working ?
Thanks in advance,
David Komanek
!DSPAM:4295d7a65226431949030793!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
