Hello all I am running a RHEL AS server. I want to make this a Kerberos KDC against which all windows clients can authenticate. Apart from this I want to mount the shared folders on the individual windows clients on to the RHEL server. I am assuming that I need to do this using Samba (bear with me as I am a Linux newbie). what mode do I set Samba in to do this? Would it need to authenticate against the KDC? I noticed a realm setting in smb.conf. But all references to this parameter has been in relation to Windows AD. Is it possible for me to have a single location for authentication information while enabling users to view shared folders on individual machines using Kerberos and Samba? I would appreciate any suggestions/comments/ideas. If anyone thinks I am going in the wrong direction I would appreciate any tutorials/references on doing what I need to. Thanks -- Ganeshram Iyer 415 South Oak St #117 Arlington, TX, 76010 Ph (H) - 817-274-7827
[reply posted on bottom - hit reply instead of reply all. may be double posted. apologies for that] On Fri, 07 Jan 2005 11:49:04 +0100, J?rn Nettingsmeier <pol-admin@uni-duisburg.de> wrote:> Ganeshram Iyer wrote: > > Hello all > > I am running a RHEL AS server. I want to make this a Kerberos KDC > > against which all windows clients can authenticate. Apart from this I > > want to mount the shared folders on the individual windows clients on > > to the RHEL server. I am assuming that I need to do this using Samba > > (bear with me as I am a Linux newbie). what mode do I set Samba in to > > do this? Would it need to authenticate against the KDC? I noticed a > > realm setting in smb.conf. But all references to this parameter has > > been in relation to Windows AD. Is it possible for me to have a single > > location for authentication information while enabling users to view > > shared folders on individual machines using Kerberos and Samba? I > > would appreciate any suggestions/comments/ideas. If anyone thinks I am > > going in the wrong direction I would appreciate any > > tutorials/references on doing what I need to. > > Thanks > > > i investigated the same scenario a while ago, and came to the conclusion > that kerberos support in samba is only there so that the samba server > can join an active directory domain (i.e. it can be a kerberos/ADS > *client*). > > authenticating windows clients against a kerberos kdc seems to imply > full active directory support, and samba cannot handle this at present. > > (please, samba gurus, correct me if this is wrong!) > > best, > > j?rn > >Thanks for the reply j?rn, I really appreciate having anyones input. I have tried numerous mail lists but never got a reply to this question. if this does not work, then it does not work. but if i run samba in a share mode to smbmount the windows folders onto linux/samba server then i will not have single sign-on will I? If you have any suggestions for me on how i can do this better I would really appreciate it. Thanks again ganesh
On Wed, 2005-01-05 at 17:50 -0600, Ganeshram Iyer wrote:> Hello all > I am running a RHEL AS server. I want to make this a Kerberos KDC > against which all windows clients can authenticate.There are two ways to do this: You can use an MIT KDC, in the way described by Microsoft, but this has nothing to do with Samba, and in fact is not compatible with Samba CIFS access (bugs, mostly simple...). The other option is to use Heimdal kerberos, and back that onto your Samba LDAP sever. That way, you use the same passwords for both. Then your Unix clients can use pam_krb5, and your windows clients can use Samba Domain authentication. https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap Andrew Bartlett -- Andrew Bartlett abartlet@samba.org Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050108/e0a55b89/attachment.bin