James Pulver
2008-Mar-18 19:49 UTC
[Samba] Setting up ADS in Samba with MIT kerberos mapping/backend
So, I'm trying to figure out how to get Samba to work in this way. Specifically, I have a 2003 R2 AD in 2003 functional level. All user accounts are mapped to the same user account name @ our MIT Kerberos server. Users do not know their AD password. Can Samba authenticate users with their Kerberos realm passwords, and know to use the same user name so the UIDs match for both platforms + permissions? If it can, what should the smb.conf look like? -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University
Steve Harper
2008-Mar-18 22:44 UTC
[Samba] Setting up ADS in Samba with MIT kerberos mapping/backend
We here at the University of Utah have a similar setup that we are trying to get work. We have set up a cross-realm trust between our MIT Kerberos server and our Windows AD Domain, and all the user accounts altSecurityIdentities map the AD users to our MIT style kerberos realm. AD passwords are set to long random strings. So far we have followed the guide below on the Samba wiki, with some success but there are a few things that still do not work. http://wiki.samba.org/index.php/Samba_%26_Active_Directory On linux and mac workstations we can map shares on our samba server once we have done a kinit against our kerberos realm. kinit username@UTAH.EDU smbclient \\sambaserver.utah.edu\SHARENAME -k Smb shares initiated from the GUI on the Mac work ok on the Tiger release of Mac OS X, but seem to fail on Leopard. Other than that, it all works fine on these clients. The problem is with the windows workstations. Workstations that are members of the domain can logon with their MIT passwords, specifying the kerberos realm in the GINA. Once there they can seamlessly map drives iff they specify their (usually set to garbage) local AD passwords. All other permutations to let the samba or windows server know that we want to use our cross-realm trust credentials have been unsucessful thus far. Ideally we would like to be able to map drives to these shares from windows machines that are not even members of our AD domain. A new option I saw that I have not had time to try out yet for the smb.conf is use kerberos keytab = yes This might help the clients to succeed, or it might be useful in getting Samba to attempt to authenticate users directly against our MIT Kerberos server. I've still got a lot of reading and experimenting to do to see if we can pull this together. Hopefully somebody else on this list has already fought such a battle and emerged triumphant. But in perusing the list archives for a few hours I have yet to see something like this. Thanks, Steve Harper Center for High Performance Computing University of Utah. James Pulver wrote:> So, I'm trying to figure out how to get Samba to work in this way. > Specifically, I have a 2003 R2 AD in 2003 functional level. All user > accounts are mapped to the same user account name @ our MIT Kerberos > server. Users do not know their AD password. > > Can Samba authenticate users with their Kerberos realm passwords, and > know to use the same user name so the UIDs match for both platforms + > permissions? > > If it can, what should the smb.conf look like? > -- > James Pulver > Information Technology Area Supervisor > LEPP Computer Group > Cornell University >