Re: [Samba] ADS with Kerberos trust
Hi Fergus, Look at the PDF included in the /doc directory source package of Samba caled HOWTO Collection, in the section 4.3.5 and 7.4 you will see how to do it. I understand that just seting the 2 following parameters you say to AD to use Kerberos: security = ADS encrypt password = yes To test your kerberos conection you can use kinit and klist, usualy placed in /usr/kerberos/bin. [ ]'s On Saturday 15 November 2003 01:42, Fergus wrote: > Hi Fernando, > We are using Samba 3 and I got it to authenticate to ADS.. But the key > is to try and get it to authenticate to ADS using the alternative > kerberos mapping. When you do thi mapping in AD you can login using > kerberos credentials. I'm just not sure how to tell Samba to do this. > > Fergus > > -Original Message- > From: Fernando Fonseca [mailto:[EMAIL PROTECTED] > Sent: Friday, 14 November 2003 9:31 PM > To: Fergus McKenzie-Kay; [EMAIL PROTECTED] > Subject: Re: [Samba] ADS with Kerberos trust > > > Fergus, > > What version of Samba are you using? > > With the version 3.0 if you set ¨encrypt password = yes¨ in smb.conf you > will > tell it to use Kerberos, but I think that you already do it. > > Other parameter is the ¨security = ADS¨ that enable the search in ADS. > > On Friday 14 November 2003 04:18, Fergus McKenzie-Kay wrote: > > Hi, > > We have an environment where we use LDAP and Kerberos and we are > > having trouble setting up Samba with both of these. We also have a > > win2k Active Directory server that has all the users mapped to our > > kerberos realm. Unfortunately when we try and configure to use the > > Active Directory server for authentication it tries to use the native > > win2k password and not the kerberos realm mapping. I have tried to set > > > > the smb.conf to the kerberos realm and the password server to the KDC > > but I get: "session setup failed: NT_STATUS_NO_LOGON_SERVERS" > > > > Does anyone have any ideas how to make samba either use active > > directory with the username mappings to kerberos? Or simply use > > kerberos authentication while and LDAP authorisation? I believe the > > first solution would be easier as then AD would look after all the > > details.. whereas when we tried to setup samba talking to kerberos and > > > > ldap, the ldap config needed changing and samba had to know how to > > create users in kerberos and ldap. > > > > Any ideas would be appreciated. > > > > -- > > Fergus McKenzie-Kay <[EMAIL PROTECTED]> -- Fernando Fonseca Network Administrator Tel: +55(11)4039-9260 Triaton do Brasil -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] ADS with Kerberos trust
On Sat, 2003-11-15 at 14:42, Fergus wrote: > Hi Fernando, > We are using Samba 3 and I got it to authenticate to ADS.. But the key > is to try and get it to authenticate to ADS using the alternative > kerberos mapping. When you do thi mapping in AD you can login using > kerberos credentials. I'm just not sure how to tell Samba to do this. Currently, you cannot. I know at least one other site has asked (and came up with a hack workaround) but we don't currently handle this. I think there might even have been a patch proposed. Search the archives, for both this list and samba-technical, and make sure it's marked up as a bug in bugzilla.samba.org. Sorry, Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] ADS with Kerberos trust
Hi Fernando, We are using Samba 3 and I got it to authenticate to ADS.. But the key is to try and get it to authenticate to ADS using the alternative kerberos mapping. When you do thi mapping in AD you can login using kerberos credentials. I'm just not sure how to tell Samba to do this. Fergus -Original Message- From: Fernando Fonseca [mailto:[EMAIL PROTECTED] Sent: Friday, 14 November 2003 9:31 PM To: Fergus McKenzie-Kay; [EMAIL PROTECTED] Subject: Re: [Samba] ADS with Kerberos trust Fergus, What version of Samba are you using? With the version 3.0 if you set ¨encrypt password = yes¨ in smb.conf you will tell it to use Kerberos, but I think that you already do it. Other parameter is the ¨security = ADS¨ that enable the search in ADS. On Friday 14 November 2003 04:18, Fergus McKenzie-Kay wrote: > Hi, > We have an environment where we use LDAP and Kerberos and we are > having trouble setting up Samba with both of these. We also have a > win2k Active Directory server that has all the users mapped to our > kerberos realm. Unfortunately when we try and configure to use the > Active Directory server for authentication it tries to use the native > win2k password and not the kerberos realm mapping. I have tried to set > the smb.conf to the kerberos realm and the password server to the KDC > but I get: "session setup failed: NT_STATUS_NO_LOGON_SERVERS" > > Does anyone have any ideas how to make samba either use active > directory with the username mappings to kerberos? Or simply use > kerberos authentication while and LDAP authorisation? I believe the > first solution would be easier as then AD would look after all the > details.. whereas when we tried to setup samba talking to kerberos and > ldap, the ldap config needed changing and samba had to know how to > create users in kerberos and ldap. > > Any ideas would be appreciated. > > -- > Fergus McKenzie-Kay <[EMAIL PROTECTED]> -- Fernando Fonseca Network Administrator Tel: +55(11)4039-9260 Triaton do Brasil -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS with Kerberos trust
Fergus, What version of Samba are you using? With the version 3.0 if you set Âencrypt password = yes in smb.conf you will tell it to use Kerberos, but I think that you already do it. Other parameter is the Âsecurity = ADS that enable the search in ADS. On Friday 14 November 2003 04:18, Fergus McKenzie-Kay wrote: > Hi, > We have an environment where we use LDAP and Kerberos and we are having > trouble setting up Samba with both of these. > We also have a win2k Active Directory server that has all the users > mapped to our kerberos realm. Unfortunately when we try and configure > to use the Active Directory server for authentication it tries to use > the native win2k password and not the kerberos realm mapping. > I have tried to set the smb.conf to the kerberos realm and the password > server to the KDC but I get: > "session setup failed: NT_STATUS_NO_LOGON_SERVERS" > > Does anyone have any ideas how to make samba either use active directory > with the username mappings to kerberos? Or simply use kerberos > authentication while and LDAP authorisation? > I believe the first solution would be easier as then AD would look after > all the details.. whereas when we tried to setup samba talking to > kerberos and ldap, the ldap config needed changing and samba had to know > how to create users in kerberos and ldap. > > Any ideas would be appreciated. > > -- > Fergus McKenzie-Kay <[EMAIL PROTECTED]> -- Fernando Fonseca Network Administrator Tel: +55(11)4039-9260 Triaton do Brasil -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ADS with Kerberos trust
Hi, We have an environment where we use LDAP and Kerberos and we are having trouble setting up Samba with both of these. We also have a win2k Active Directory server that has all the users mapped to our kerberos realm. Unfortunately when we try and configure to use the Active Directory server for authentication it tries to use the native win2k password and not the kerberos realm mapping. I have tried to set the smb.conf to the kerberos realm and the password server to the KDC but I get: "session setup failed: NT_STATUS_NO_LOGON_SERVERS" Does anyone have any ideas how to make samba either use active directory with the username mappings to kerberos? Or simply use kerberos authentication while and LDAP authorisation? I believe the first solution would be easier as then AD would look after all the details.. whereas when we tried to setup samba talking to kerberos and ldap, the ldap config needed changing and samba had to know how to create users in kerberos and ldap. Any ideas would be appreciated. -- Fergus McKenzie-Kay <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
