samba - Dec 2014 - Can windows clients get kerberos tickets from samba3 PDC?

> Is it possible for windows clients to authenticate against kerberos and 
> receive tickets from a Samba3 PDC, when kerberos server is MIT kerberos 
> running on a Linux server, not a Windows AD server?
>
> https://help.ubuntu.com/community/Samba/Kerberos
> Suggests that this may be possible and I can succesfully authenticate with 
> smbclient -k. But windows users do not receive tickets on domain login. At 
> least kerbtray from Windows server 2003 resource kit tools do not show them
> on windows7 client.
>
> I have not found a definitive statement that it is not possible, nor any
more
> detailed documentation on how this can be done.
>
> So can this be done or not?
>
> Where to find documentation?
> How to get more detailed logging and find out why it is not working?
>
> Can this be done with samba4 with external MIT kerberos?
>
> Thanks.
>
Any ideas?

On 12/01/14 11:17, Tiit Kaeeli wrote:
>> Is it possible for windows clients to authenticate against kerberos 
>> and receive tickets from a Samba3 PDC, when kerberos server is MIT 
>> kerberos running on a Linux server, not a Windows AD server?
>>
>> https://help.ubuntu.com/community/Samba/Kerberos
>> Suggests that this may be possible and I can succesfully authenticate 
>> with smbclient -k. But windows users do not receive tickets on domain 
>> login. At least kerbtray from Windows server 2003 resource kit tools 
>> do not show them on windows7 client.
>>
>> I have not found a definitive statement that it is not possible, nor 
>> any more detailed documentation on how this can be done.
>>
>> So can this be done or not?
>>
>> Where to find documentation?
>> How to get more detailed logging and find out why it is not working?
>>
>> Can this be done with samba4 with external MIT kerberos?
>>
>> Thanks.
>>
>
> Any ideas?
>
>

Samba 3.x is a "classic" (NT4-type ) domain using NTLM authentication.
I would suspect that using "smbclient -k"  would only be useful if you
were NOT trying to configure your Linux machine as part of a Windows 
domain.      For Windows, the kerberos auth is only useful if you don't 
have a windows domain but you are trying to centralize authentication.   
I believe in this case you still have to define the users on the windows 
machine anyway.


What is the goal?   To have a single password for linux and windows users?

I have been tinkering with MIT  kerberos for unix clients. Currently I 
user Samba 3.x for windows users.  Samba the same LDAP backend that is 
used for unix clients.      Each user LDAP entry has the user name, unix 
password and samba password.      Since Samba has a password sync 
script, unix  users change passwords with the "smbpasswd" command (not
passwd) so that the windows and unix passwords stay in sync.  I can also 
configure client machines to use kerberos passwords, although the 
kerberos passwords currently do not sync with the LDAP unix and samba 
passwords.


As far as I can tell, Samba 4 does not support MIT kerberos. At this 
point, I am serious considering migrating my domain controllers to 
Windows 2008/2012 while keeping Samba for the file servers.    Either 
way, I have to abandon the MIT kerberos server.

On Mon, 1 Dec 2014, Gaiseric Vandal wrote:
> On 12/01/14 11:17, Tiit Kaeeli wrote:
>>> Is it possible for windows clients to authenticate against kerberos
and
>>> receive tickets from a Samba3 PDC, when kerberos server is MIT
kerberos
>>> running on a Linux server, not a Windows AD server?
>>> 
>>> https://help.ubuntu.com/community/Samba/Kerberos
>>> Suggests that this may be possible and I can succesfully
authenticate with
>>> smbclient -k. But windows users do not receive tickets on domain
login. At
>>> least kerbtray from Windows server 2003 resource kit tools do not
show
>>> them on windows7 client.
>>> 
>>> I have not found a definitive statement that it is not possible,
nor any
>>> more detailed documentation on how this can be done.
>>> 
>>> So can this be done or not?
>>> 
>>> Where to find documentation?
>>> How to get more detailed logging and find out why it is not
working?
>>> 
>>> Can this be done with samba4 with external MIT kerberos?
>>> 
>>> Thanks.
>>> 
>> 
>> Any ideas?
>> 
>> 
>
>
> Samba 3.x is a "classic" (NT4-type ) domain using NTLM
authentication.  I
> would suspect that using "smbclient -k"  would only be useful if
you were NOT
> trying to configure your Linux machine as part of a Windows domain.     
For
> Windows, the kerberos auth is only useful if you don't have a windows
domain
> but you are trying to centralize authentication.   I believe in this case
you
> still have to define the users on the windows machine anyway.
>
>
> What is the goal?   To have a single password for linux and windows users?
The goal is to get kerberos tickets to windows clients, so that they can 
be used to SSO to other services.

>
> I have been tinkering with MIT  kerberos for unix clients. Currently I user
> Samba 3.x for windows users.  Samba the same LDAP backend that is used for 
> unix clients.      Each user LDAP entry has the user name, unix password
and
> samba password.      Since Samba has a password sync script, unix  users 
> change passwords with the "smbpasswd" command (not passwd) so
that the
> windows and unix passwords stay in sync.  I can also configure client 
> machines to use kerberos passwords, although the kerberos passwords
currently
> do not sync with the LDAP unix and samba passwords.
Same here. Plus I got kerberos passwords in sync with others using
http://labs.opinsys.com/blog/2010/05/05/smbkrb5pwd-password-syncing-for-openldap-mit-kerberos-and-samba/

>
>
> As far as I can tell, Samba 4 does not support MIT kerberos. At this point,
I
> am serious considering migrating my domain controllers to Windows 2008/2012
> while keeping Samba for the file servers.    Either way, I have to abandon 
> the MIT kerberos server.
Yes, currently samba 4 does not support MIT kerberos. It is in
https://wiki.samba.org/index.php/Roadmap#Active_Directory_Server
Is there any estimate for it?


One more bit is unclear for me. If I install Samba4, it will come with a 
dedicated built-in Heimdal Kerberos server. Can this kerberos server be 
used directly by Linux kerberos clients, should all access be done through 
samba, or must there be a separate kerberos server for Linux clients? If 
the last is true, how should the two kerberos servers be kept in sync?

For LDAP, it seems to be the last option (Two ldap servers, 
synchronization is managed by PAM). Is it so?

We do not have and will not have any windows servers. So the options are:

1. Find a way to get kerberos tickets to windows clients using Samba3
2. Drop MIT kerberos and go for Samba4 and Heimdal kerberos
3. Use Heimdal kerberos for Samba4 and MIT kerberos for Linux
4. Wait until Samba4 MIT kerberos support is ready.