samba - Sep 2010 - Kerberos as a password backend

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

After a bit of research and sniffing about, I am curious as to what it would
take to run Samba3 with kerberos (MIT or Hemidal) as the password backend

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/s1-samba-servers.html
Shows how you can use share mode ADS, with krb5 auth. Is it possible to use any
KDC as the "password server = linux.kdc" , and if so, is there a way
to generate the needed host / service principals for the samba server to
"fool" samba into thinking it is part of an AD setup? What principals
would they be?

Sincerely

William Brown

pgp.mit.edu



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iQIcBAEBAgAGBQJMhk4hAAoJEHF16AnLoz6J5owQAKA26ErL1rCKDdygk3pNRDOS
JZ6uiYcYWK3xXg8GQDsIkZ1/yPriRxiYhZS0gYZT1M7/QgStLjcBipZ2oqy+aNsB
+ECpR47iMgELyOlIgAHwLqhXuE5tbpSXUhQnP8KLOZ7PQEWFuvntJ+dJNRmaHlV0
KRgaYub9FB9bV01uxwiYCaT/1Oh5sq4ywOUDubqZR9BJajgE8NvYOZMJx9pOBQhF
6U2T0ZsmHqNH1cTYAIerkVgkcoafzu71NcuamG0w3ng4Dj503XxzgRPQpSSyMe6b
tCCyVZgu8X5Axv/oCesqGxwiWuuEVzs+hZbZu3TtjfuVxX8sXlSPViXR2zbJvu6q
F1DHGe/0ivQQAHV1FRopVBg4jaxU4RRUUbWvatgDdte5bQMZNSnPbgbPQu2oWdPY
ShvQshLlUnc3oRenXKzMMKy7Gom+hheN67cbWUPiO/ZJ7mlbo7oSEFd8lTyHLe4Q
ZjhtfeOSrsO4fjoKcZ8JcpmRPavJ01QeLkya3Xq5IqrkePqxxU33SO5zHrTOgL+9
bSlV4fyNv+oGMjI2K/k7Sxl0gi3imz26sztEuZ5YV38Bm2mUxRuFDtt1nE5DMrUU
uFhGv+rPPwyPzOCuC4ZcJBFZpBbW3x1w1jjhavzvboy00LbXRKPRXOHXxYOoiAY2
FL/tuXedLUDDG9chde6d
=vG9u
-----END PGP SIGNATURE-----

On Wed, 2010-09-08 at 00:07 +0930, Indexer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> After a bit of research and sniffing about, I am curious as to what it
would take to run Samba3 with kerberos (MIT or Hemidal) as the password backend
> 
>
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/s1-samba-servers.html
Shows how you can use share mode ADS, with krb5 auth. Is it possible to use any
KDC as the "password server = linux.kdc" , and if so, is there a way
to generate the needed host / service principals for the samba server to
"fool" samba into thinking it is part of an AD setup? What principals
would they be?
The 'password server' command refers to either a CIFS server on which to
conduct a 'man in the middle' attack on the NTLM authentication stream,
when security=server, or the DC to contact when 'security=domain'.  It
is not relevant to Kerberos authentication, which relies instead on a
local stored keytab or password, shared with the KDC.

You can set up Samba to accept tickets issued somehow to your clients by
an MIT or Heimdal KDC.  See 'kerberos method' in your smb.conf for the
documentation. 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.samba.org/pipermail/samba/attachments/20100909/62b44033/attachment.pgp>