samba - Dec 2012 - Samba - Kerberos delegation support

Hi,

  We're implementing RPCSEC_GSS with authentication against AD in our NFSv3
environment.
Our Windows users use Samba to access NFS storage from their laptops.
What would be the best way to configure Samba to "forward" the
credentials from Windows laptop to be able to access NFS on user's behalf?
I saw some notes about Kerberos delegation in Samba 4 - is it ready for
production use? Any experience with this capability in NFS/Kerberos environment?

Thanks,
Gregory Touretsky
Engineering Computing - Strategic Architecture and Planning
Solutions Architect
gregory.touretsky AT intel.com
(+) 972-4-865-6377, Fax: 04-865-5999
iNET: 465-6377

---------------------------------------------------------------------
Intel Israel (74) Limited

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.

On Thu, 2012-12-20 at 11:06 +0000, Touretsky, Gregory
wrote:
> Hi,
> 
>   We're implementing RPCSEC_GSS with authentication against AD in our
NFSv3 environment.
> Our Windows users use Samba to access NFS storage from their laptops.
> What would be the best way to configure Samba to "forward" the
credentials from Windows laptop to be able to access NFS on user's behalf?
> I saw some notes about Kerberos delegation in Samba 4 - is it ready for
production use? Any experience with this capability in NFS/Kerberos environment?
It may be possible to extend Samba to support this, but at the moment it
is not supported. 

We do have a much more mature GSSAPI stack in Samba 4.0, across the
codebase, and we use that to forward kerberos credentials in the CIFS
and DCE/RPC proxy code, but so far we don't use it in the normal file
server.

You would also need to find a way to initiate the NFS mount from Samba,
and pass it the credentials in the form of a krb5 ccache. 

In short, it would be a development project, but the code in Samba 4.0
would do it much better than the old code. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org