Hi, I have been reading through the docs for Samba 3, and there is a lot of talk about how samba 3 can function in an AD domain as a member server and accept kerberos service tickets issued by an MS KDC. (net ads join, etc...) I have a slightly different twist on a similar situation. I have an MIT kerberos realm set up and my Windows2000 PCs get tickets from this realm on login just fine. I would like to set up a samba server as purely a fileserver, and I want my PC clients to be able to mount samba shares using Kerberos service tickets issued by my MIT KDC. I know many more people are probably using AD as their KDC, but we want to decrease our reliance on AD. (That is the idea, isn't it? :-) ) It seems like this should work. Is this possible? If so, how do I configure the samba server? What do I tell my Kerberos admin to put in the keytab for samba? ie smbserver/my.host.com@my.realm.com ??? As an addition, I am fine with managing my users locally on this samba server (as opposed to binding to an LDAP server). Our KDC has a large number of users in it, and I only want to give access to a very small subset of these users. I just want these users to be able to present a service ticket from our MIT realm as authentication instead of being prompted for a password. any input would be greatly appreciated.. thanks Aaron
I would be willing to write up docs on this and send them to the community, should I get it working (with your help)... aaron On Oct 21, 2003, at 8:07 PM, Aaron Rosenblum wrote:> Hi, > > I have been reading through the docs for Samba 3, and there is a lot > of talk about how samba 3 can function in an AD domain as a member > server and accept kerberos service tickets issued by an MS KDC. (net > ads join, etc...) > I have a slightly different twist on a similar situation. I have an > MIT kerberos realm set up and my Windows2000 PCs get tickets from this > realm on login just fine. I would like to set up a samba server as > purely a fileserver, and I want my PC clients to be able to mount > samba shares using Kerberos service tickets issued by my MIT KDC. I > know many more people are probably using AD as their KDC, but we want > to decrease our reliance on AD. (That is the idea, isn't it? :-) ) > It seems like this should work. Is this possible? If so, how do I > configure the samba server? What do I tell my Kerberos admin to put > in the keytab for samba? ie smbserver/my.host.com@my.realm.com ??? > > As an addition, I am fine with managing my users locally on this samba > server (as opposed to binding to an LDAP server). Our KDC has a large > number of users in it, and I only want to give access to a very small > subset of these users. I just want these users to be able to present > a service ticket from our MIT realm as authentication instead of being > prompted for a password. > > any input would be greatly appreciated.. > > thanks > > Aaron > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba
On Wed, 2003-10-22 at 10:07, Aaron Rosenblum wrote:> Hi, > > I have been reading through the docs for Samba 3, and there is a lot > of talk about how samba 3 can function in an AD domain as a member > server and accept kerberos service tickets issued by an MS KDC. (net > ads join, etc...) > I have a slightly different twist on a similar situation. I have an > MIT kerberos realm set up and my Windows2000 PCs get tickets from this > realm on login just fine. I would like to set up a samba server as > purely a fileserver, and I want my PC clients to be able to mount samba > shares using Kerberos service tickets issued by my MIT KDC. I know > many more people are probably using AD as their KDC, but we want to > decrease our reliance on AD. (That is the idea, isn't it? :-) ) It > seems like this should work. Is this possible? If so, how do I > configure the samba server? What do I tell my Kerberos admin to put in > the keytab for samba? ie smbserver/my.host.com@my.realm.com ???This needs work - Jeremy was looking into the matter, but I'm not sure what state it got to. That said, if you have the windows side taking the kerberos tickets, the rest only a matter of unwinding samba's 'not using the keytab' work.> As an addition, I am fine with managing my users locally on this samba > server (as opposed to binding to an LDAP server). Our KDC has a large > number of users in it, and I only want to give access to a very small > subset of these users. I just want these users to be able to present a > service ticket from our MIT realm as authentication instead of being > prompted for a password.Only users in /etc/passwd will be authenticated. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20031022/4ffa90c3/attachment.bin