On Mon, 2011-11-14 at 16:53 +1300, brijesh patel wrote:> Hi,
>
> I am sure someone may have already asked this question but i can't find
any useful documentation about this. I would like to use our existing kerberos
(openldap) setup to authenticate users against windows machines. So far i have
managed to authenticate users against ldap password with samba but i don't
have any success if i use kerberos with samba.
>
> Here is my kerberos related part of smb.conf file
>
> [global]
> workgroup = TEST
> netbios name = pdc
> security = user
> enable privileges = yes
> interfaces = 10.0.0.1
> server string = Samba Server %v
> encrypt passwords = Yes
> realm = REALM
> client use spnego = yes
>
> I have created a key for samba server called cifs/test.com.
>
> FYI i haven't done any configuration on windows client( do i need to do
anything on those machines?)
>
> Any help would be appreciated.
The only way to have Windows clients use Samba in the way that you want
is to use Samba4, as an AD DC. With Samba 3.x, Windows clients will not
use kerberos.
We have a migration script from Samba3, but not from Heimdal (but due to
recent requests, I'm going to see what I can do about that). If you
have sambaNTPassword fields in your OpenLDAP server, then these can be
migrated to AD, and will provide the arcfour-hmac-md5 Kerberos key
(which is the most important one anyway, as it is the most used).
The Samba3 migration command is 'samba-tool domain samba3upgrade'.
I hope this helps,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org