Hi, We've been testing Samba 3 for some time now, and we had absolutely no problems connecting it to Windows 2000 KDC, etc... Now, we're trying to push it further and have it authenticate against a non-windows KDC, and I have to admit that I am nowhere near to it. I've seen a few discussions in this list regarding exactly this issue, but I still don't get it ;-)) I have my KDC set up and it is working (I can authenticate linux users with it). I compiled Samba 3 using --with-pam_krb5 and --with-krb5 It compiles and installs correctly, no problem. My problem now is: what options can I use in smb.conf to enable this? I've used realm = MYREALM.COM, password server = mykdc.myrealm.com, I even played around with the security = ADS, which of course is not of much use if you don't have AD. And nothing I do seems to kick off "kerberization" of samba, it will never try to get a ticket for any user. I've tested with both XP and 2K clients. Any clues, pointers, tips are very very welcome. Thanks in advance, Nuno PS - Thanks for the great job you've been doing so far with Samba PPS - Googling for my answers is no help - whenever you search for "samba kerberos" or "samba KDC" you will always get links to the Active-Directory integration. What we want is to eliminate AD completely and have our windows boxes using our own KDC and LDAP directory.
On Wed, 2003-03-05 at 21:53, Nuno Pereira wrote:> Hi, > > We've been testing Samba 3 for some time now, and we had absolutely no > problems connecting it to Windows 2000 KDC, etc... > > Now, we're trying to push it further and have it authenticate against a > non-windows KDC, and I have to admit that I am nowhere near to it. I've > seen a few discussions in this list regarding exactly this issue, but I > still don't get it ;-))This is not supported at this time. We need to add some code to allow you to 'set' the member server's password, rather than doing an LDAP or RPC join, and setting it in both places. This would then require that you manually create the account in the KDC. How you then get windows machines to get the tickets etc is up to you :-) Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20030305/b2b0cc1f/attachment.bin
Possibly Parallel Threads
- Samba 3, Win2K, and MIT KDC -- possible?
- MIT KDC for Samba authentication?
- ADS and samba domain member: ads_connect: Cannot resolve network address for KDC in requested realm
- ADS and samba domain member: ads_connect: Cannot resolve network address for KDC in requ
- Fwd: ADS and samba domain member: ads_connect: Cannot resolve network address for KDC in requested realm