Hi, What is/will be the support for Kerberos TGT tickets in Samba 3.0 ? I am trying to find a way to authenticate users on both Windows and unix stations against the same KDC (MIT) and it would help if Samba was able to grant access based on TGT tickets delivered to the windows client and then deliver accounting information to the stations. I am afraid this follow no standart protocol, but i didn't find one implementation that allow me to have a Samba PDC with LDAP backend and unix getting accounts in the LDAP. I could avoid Kerberos if another secure (no password going "clear" through the network) solution is possible. TIA for your answers and experience. Jerome -- -+-- J?r?me Walter - I2 EFREI ----+- Equipe Syst?me - Efrei Robotique - Jap'Efrei - Erasmus Tutors "The World is my country" - "Nihon no tomodachi desu" EFREI System and Networking guide http://perso.efrei.fr/~walter/
Jerome Walter wrote:> I am trying to find a way to authenticate users on both Windows and unix > stations against the same KDC (MIT) and it would help if Samba was able to > grant access based on TGT tickets delivered to the windows client and then > deliver accounting information to the stations.You will have to add a service principal to your kdc, probably using kadmin addprinc/ktadd. I think the principial name should be "host@REALM". You then need to communicate the principal's key to the keytab on the SMB machine. (perhaps kadmin can do this all in one step). Your clients then don't use their TGT to get access to Samba, but instead go to the KDC which gives them a session ticket for the Samba service. With that session ticket, the clients open the connection to smbd, which validates the ticket based on the shared key that you had created in the KDC before. HTH, Martin