I have a Samba 3 server running as my domain controller and want to configure it to authenticate user passwords off a MIT KDC server that is already up and running. I have the KDC client software installed on the Samba box and it will authenticate users using it's tools. I have been looking for some sort of a how-to but I have not found anything that works or explains much very well. Most of them give rough examples on how to connect to a Windows ADS but that's not what I'm doing. I would appreicate it if anyone here knows of a working how-to on setting up this configuration. Currently my smb.conf contains the following lines (among others). realm = REALMNAME.COM security = ADS encrypt passwords = yes When I try to connect to the samba server the smbd kicks out the error : check_ntdomain_security: could not fetch trust account password for domain 'REALMNAME.COM' From what I have read this relates to Samba not being 'connected' to the ADS realm (which I do not have). I have however attempted the command net ads join which returns various errors.
Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040925/e41e342f/attachment.bin
>Perhaps I proposed the patch to the wrong audience. There are some >people who have an existing Kerberos site, and have even followed the >painful Microsoft howto on joining an MIT realm, and wish Samba to play >ball. > >This is certainly not possible with Win98, so I suggest you instead just >setup a normal Samba domain. > > >Now that's quite a let down I was sure this was possible from somewhere :). All the clients currently login to Samba and the only thing I was wanting samba to do is check their password off the KDC server. They don't need to login to the KDC or be given a ticket - just use it as a password database. Is there no pam options where I could use pam_krb5 or something along those lines?
On Tue, 2004-09-28 at 22:54, Bruce Marriner wrote:> >Perhaps I proposed the patch to the wrong audience. There are some > >people who have an existing Kerberos site, and have even followed the > >painful Microsoft howto on joining an MIT realm, and wish Samba to play > >ball. > > > >This is certainly not possible with Win98, so I suggest you instead just > >setup a normal Samba domain.> Is there no pam options where I could > use pam_krb5 or something along those lines?Domain Logons are technically incompatible with plaintext authentication, and plaintext authentication is incompatible with the whole idea behind kerberos - that is, no plaintext on the network... Andrew Bartlett -- Andrew Bartlett abartlet@samba.org Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040929/e040354f/attachment.bin