On Fri, 2005-11-11 at 11:00 +0100, Skander wrote: > Hello all, > > I am doing some tests for an SSO for our Windows workstations using > Kerberos without ADS. > So far, Windows client can obtain the ticket from the Heimdal KDC and > it's possible to login to SSH servers using Vintela Putty. > > > I am now trying to use the Kerberos credentials to access Samba shares. > > I can mount the shares using my Kerberos tickets from a Linux and I see > the service ticket for cifs/FQDN but it doesn't work from Windows. > > > When connecting to a share I can see that the negotiation phase offers > Kerberos 5, MS Kerberos and NTLM. The Linux client choose Kerberos but > Windows choose NTLM and prompt for a login/password. > > Is there a way to remove the NTLM from the nego phase on the Samba side > or to force Windows to try Kerberos first on the client side ? > > Config: > Debian unstable > > Heimdal 0.6.3 with the host/FQDN and cifs/FQDN principals in the db
Are you connecting from the client as FQDN, or the netbios name. windows clients are very painful in that they will not use the FQDN, nor even alter the case of their requests. A simple ethereal trace should show if the KDC is issuing a ticket (or indeed if the KDC is being asked at all). > Samba 3.0.20b-2 with > security = users > > use kerberos keytab = yes This should be sufficient. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
