samba - May 2004 - Samba, pam, and kerberos

Hi all,

Is it possible to have a Samba server use pam as the authentication 
mechanism, which then in turn authenticates against an MIT Kerberos
realm?

We already have kerberos up and running, but no Windows Domain 
infrastructure.  We're currently not using LDAP (but we'd want that 
to auth against Kerberos anyway).

I have the Samba-3 HOWTO, but there doesn't seem to be much related 
to kerberos in there.

Thanks,

-- 
Seeya,
Paul

GPG Key fingerprint = 1660 FECC 5D21 D286 F853  E808 BB07 9239 53F1 28EE

	 If you're not having fun, you're not doing it right!

Im not a complete expert in this area, but. If you try winbind its got to
have a correctly configured kerberos client to contact the AD. Could you try
this but specify your MIT Kerberos kdc instead.

Read the smb.conf section on the winbind parameters and make sure your
settings reflect the username / domain structure you have and see what
happens. Id like to know how this goes as over time our company is intrested
in moving away from M$ completetly, using a full Kerberos implimentation
would help us in this area.

Good luck

Brett Stevens  


On 20/5/04 01:55, "pll+samba@permabit.com"
<pll+samba@permabit.com> wrote:
> 
> Hi all,
> 
> Is it possible to have a Samba server use pam as the authentication
> mechanism, which then in turn authenticates against an MIT Kerberos
> realm?
> 
> We already have kerberos up and running, but no Windows Domain
> infrastructure.  We're currently not using LDAP (but we'd want that
> to auth against Kerberos anyway).
> 
> I have the Samba-3 HOWTO, but there doesn't seem to be much related
> to kerberos in there.
> 
> Thanks,

> Im not a complete expert in this area, but. If you try winbind its got to
> have a correctly configured kerberos client to contact the AD. Could you
try
> this but specify your MIT Kerberos kdc instead.
Samba cannot currently acquire Kerberos tickets on behalf of the client

Ahh well, worth a shot.

Brett Stevens


On 20/5/04 11:13, "Adam Tauno Williams" <awilliam@whitemice.org>
wrote:
>> Im not a complete expert in this area, but. If you try winbind its got
to
>> have a correctly configured kerberos client to contact the AD. Could
you try
>> this but specify your MIT Kerberos kdc instead.
> 
> Samba cannot currently acquire Kerberos tickets on behalf of the client

> Ahh well, worth a shot.
There is some development effort to integrate OpenLDAP, Samba, &
Heimdal.  So you will be able to do this someday.