-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, After a bit of research and sniffing about, I am curious as to what it would take to run Samba3 with kerberos (MIT or Hemidal) as the password backend http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/s1-samba-servers.html Shows how you can use share mode ADS, with krb5 auth. Is it possible to use any KDC as the "password server = linux.kdc" , and if so, is there a way to generate the needed host / service principals for the samba server to "fool" samba into thinking it is part of an AD setup? What principals would they be? Sincerely William Brown pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iQIcBAEBAgAGBQJMhk4hAAoJEHF16AnLoz6J5owQAKA26ErL1rCKDdygk3pNRDOS JZ6uiYcYWK3xXg8GQDsIkZ1/yPriRxiYhZS0gYZT1M7/QgStLjcBipZ2oqy+aNsB +ECpR47iMgELyOlIgAHwLqhXuE5tbpSXUhQnP8KLOZ7PQEWFuvntJ+dJNRmaHlV0 KRgaYub9FB9bV01uxwiYCaT/1Oh5sq4ywOUDubqZR9BJajgE8NvYOZMJx9pOBQhF 6U2T0ZsmHqNH1cTYAIerkVgkcoafzu71NcuamG0w3ng4Dj503XxzgRPQpSSyMe6b tCCyVZgu8X5Axv/oCesqGxwiWuuEVzs+hZbZu3TtjfuVxX8sXlSPViXR2zbJvu6q F1DHGe/0ivQQAHV1FRopVBg4jaxU4RRUUbWvatgDdte5bQMZNSnPbgbPQu2oWdPY ShvQshLlUnc3oRenXKzMMKy7Gom+hheN67cbWUPiO/ZJ7mlbo7oSEFd8lTyHLe4Q ZjhtfeOSrsO4fjoKcZ8JcpmRPavJ01QeLkya3Xq5IqrkePqxxU33SO5zHrTOgL+9 bSlV4fyNv+oGMjI2K/k7Sxl0gi3imz26sztEuZ5YV38Bm2mUxRuFDtt1nE5DMrUU uFhGv+rPPwyPzOCuC4ZcJBFZpBbW3x1w1jjhavzvboy00LbXRKPRXOHXxYOoiAY2 FL/tuXedLUDDG9chde6d =vG9u -----END PGP SIGNATURE-----
On Wed, 2010-09-08 at 00:07 +0930, Indexer wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > After a bit of research and sniffing about, I am curious as to what it would take to run Samba3 with kerberos (MIT or Hemidal) as the password backend > > http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/s1-samba-servers.html Shows how you can use share mode ADS, with krb5 auth. Is it possible to use any KDC as the "password server = linux.kdc" , and if so, is there a way to generate the needed host / service principals for the samba server to "fool" samba into thinking it is part of an AD setup? What principals would they be?The 'password server' command refers to either a CIFS server on which to conduct a 'man in the middle' attack on the NTLM authentication stream, when security=server, or the DC to contact when 'security=domain'. It is not relevant to Kerberos authentication, which relies instead on a local stored keytab or password, shared with the KDC. You can set up Samba to accept tickets issued somehow to your clients by an MIT or Heimdal KDC. See 'kerberos method' in your smb.conf for the documentation. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 190 bytes Desc: This is a digitally signed message part URL: <http://lists.samba.org/pipermail/samba/attachments/20100909/62b44033/attachment.pgp>
Apparently Analagous Threads
- Changing expired Samba AD password during Windows login
- Changing expired Samba AD password during Windows login
- Changing expired Samba AD password during Windows login
- Kerberos requirements for Samba and AD Membership
- Windows 2000 and krb5 tickets...SOLVED