Hello all, I am doing some tests for an SSO for our Windows workstations using Kerberos without ADS. So far, Windows client can obtain the ticket from the Heimdal KDC and it's possible to login to SSH servers using Vintela Putty. I am now trying to use the Kerberos credentials to access Samba shares. I can mount the shares using my Kerberos tickets from a Linux and I see the service ticket for cifs/FQDN but it doesn't work from Windows. When connecting to a share I can see that the negotiation phase offers Kerberos 5, MS Kerberos and NTLM. The Linux client choose Kerberos but Windows choose NTLM and prompt for a login/password. Is there a way to remove the NTLM from the nego phase on the Samba side or to force Windows to try Kerberos first on the client side ? Config: Debian unstable Heimdal 0.6.3 with the host/FQDN and cifs/FQDN principals in the db Samba 3.0.20b-2 with security = users use kerberos keytab = yes Thanks !
On Fri, 2005-11-11 at 11:00 +0100, Skander wrote:> Hello all, > > I am doing some tests for an SSO for our Windows workstations using > Kerberos without ADS. > So far, Windows client can obtain the ticket from the Heimdal KDC and > it's possible to login to SSH servers using Vintela Putty. > > > I am now trying to use the Kerberos credentials to access Samba shares. > > I can mount the shares using my Kerberos tickets from a Linux and I see > the service ticket for cifs/FQDN but it doesn't work from Windows. > > > When connecting to a share I can see that the negotiation phase offers > Kerberos 5, MS Kerberos and NTLM. The Linux client choose Kerberos but > Windows choose NTLM and prompt for a login/password. > > Is there a way to remove the NTLM from the nego phase on the Samba side > or to force Windows to try Kerberos first on the client side ? > > Config: > Debian unstable > > Heimdal 0.6.3 with the host/FQDN and cifs/FQDN principals in the dbAre you connecting from the client as FQDN, or the netbios name. windows clients are very painful in that they will not use the FQDN, nor even alter the case of their requests. A simple ethereal trace should show if the KDC is issuing a ticket (or indeed if the KDC is being asked at all).> Samba 3.0.20b-2 with > security = users > > use kerberos keytab = yesThis should be sufficient. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20051114/3a256f72/attachment.bin
Ok, now I have added the cifs/hostname in the keytab and now it works ! thank you !! But do you have any idea why Windows doesnt do a netbios lookup if I try to access \\hotsname.domain where domain correspond to the domain and workgroup that I am in. It just prints an error without sending any packets. If I only do \\hostname it does the Netbios lookup for hostname. And if I try \\nonexistent.test.com or any other FQDN that does not end with my Workgroup it will also try to resolve it. 2005/11/14, Andrew Bartlett < abartlet@samba.org>:> > On Mon, 2005-11-14 at 11:20 +0100, Skander wrote: > > Are you connecting from the client as FQDN, or the netbios > > name. > > windows clients are very painful in that they will not use the > > FQDN, nor > > even alter the case of their requests. > > > > I have used the command ksetup /domain > > Now at least it contacts the KDC otherwise it only tries NTLM. > > But as you said, it tries to obtain a ticket for > > cifs/name_entered_in_browser. No matter if the name is netbios or IP > > address. > > And my problem now is that it doesnt try to do a dns resolution before > > the netbios resolution. So, I can't use the FQDN in the Windows brower > > and obtain the correct service ticket. > > > > How can I activate dns resolution for smb protocol on my Windows > > client ? (DNS works for the other protocols). > > You cannot. Windows clients do not support it. You must enter every > combination of case and name that a windows client may use into your > KDC, and issue the keys back to keytab on the samba server. > > Yes, it sucks. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Student Network Administrator, Hawker College http://hawkerc.net > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQBDeG8ez4A8Wyi0NrsRAjCKAJ4+0LD9028JWDqpNOfDcgHwmvEAKwCgkPJY > KZPu5E1dsVRfb3Ix9vw3+eM> =kzns > -----END PGP SIGNATURE----- > > >