samba - Jan 2003 - Samba 3, Win2K, and MIT KDC -- possible?

After setting up Samba 3 I noticed the Windows 2000 box was
requesting a ticket from the KDC for HOST/<NETBIOS NAME>@MYREALM.COM
when it tried to connect to the Samba server.  I presume that W2K is
sending the ticket it is granted along to the Samba server.  If that
presumption is correct, is it possible to make Samba authenticate the
user with the Kerberos ticket they present?  If so, how do I need to
configure Samba and supporting software?

	I've got an MIT KDC set up in Linux along with OpenLDAP.
Linux (Red Hat 8.0) is quite happily doing Kerberos authentication and
using nss_ldap.  I've got a Windows 2000 workstation that is in a
workgroup -- not in a domain of any sorts.  It is authenticating
against the same MIT KDC on Linux (set up with KSETUP.EXE).  There is
no Active Directory server on my network.  I don't really want any of
the typical "domain" functionality; I don't mind having to create
local user accounts for each user on the Windows machines, etc.

	I can supply log output, install strange software, CVS, more
information on my environment, etc.  I've seen mentions in CVS of
Andrew Tridgell connecting to smbd with smbclient and an MIT KDC in
the middle, but no mention of whether this is possible with W2K in
place of smbclient.  Any help greatly appreciated.

Thanks in advance,
darkness
--

On Fri, 2003-01-24 at 20:58, darkness wrote:
> 	After setting up Samba 3 I noticed the Windows 2000 box was
> requesting a ticket from the KDC for HOST/<NETBIOS NAME>@MYREALM.COM
> when it tried to connect to the Samba server.  I presume that W2K is
> sending the ticket it is granted along to the Samba server.  If that
> presumption is correct, is it possible to make Samba authenticate the
> user with the Kerberos ticket they present?  If so, how do I need to
> configure Samba and supporting software?
> 
> 	I've got an MIT KDC set up in Linux along with OpenLDAP.
> Linux (Red Hat 8.0) is quite happily doing Kerberos authentication and
> using nss_ldap.  I've got a Windows 2000 workstation that is in a
> workgroup -- not in a domain of any sorts.  It is authenticating
> against the same MIT KDC on Linux (set up with KSETUP.EXE).  There is
> no Active Directory server on my network.  I don't really want any of
> the typical "domain" functionality; I don't mind having to
create
> local user accounts for each user on the Windows machines, etc.
> 
> 	I can supply log output, install strange software, CVS, more
> information on my environment, etc.  I've seen mentions in CVS of
> Andrew Tridgell connecting to smbd with smbclient and an MIT KDC in
> the middle, but no mention of whether this is possible with W2K in
> place of smbclient.  Any help greatly appreciated.
The main issue is getting Samba the password for the domain.  Once it
has the right krb5 keys, the rest should work...

Currently there is no way to set an arbitrary password, only a way to
join with the admin username/pw.  This means that Samba uses LDAP etc to
do it.  We need to add a 'net' command to set the password I think.  It
used to work - but that was in the initial stages when we didn't use our
internal secrets.tdb to store the password.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20030128/946fc7b1/attachment.bin