[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Current ideas on kerberos requirements for Samba4

"Wachdorf, Daniel R" <drwachd@sandia.gov> writes:

> I have a question regarding this.  I submitted a bug on this a while back but it got closed due to lack of a fix. 
> What if you have an environment where SMB clients will be from a kerberos
> realmA will be accessing a SAMBA share using kerberos auth which is a
> member of realmB.  Testing of 3.0 revaled that SAMBA had a problem
> mapping the principal user@realmA into a username.
> Do you think adding a local_name support (much like
> krb5_aname_to_localname in MIT) to translate username kerberos principals
> of non-local kerberos realms into local account names.

Isn't this done with the Name Mapping ldap attribute
(altSecurityIdentities), samba doesn't support this, so use use a local
patch that adds a hard mapping between our Kerberos realm (heimdal) and AD.


> -dan
> -----Original Message-----
> From: krbdev-bounces@mit.edu on behalf of Andrew Bartlett
> Sent: Mon 5/16/2005 9:36 AM
> To: krbdev@mit.edu; heimdal-discuss@sics.se; samba-technical@samba.org
> Cc: Michelle Escalante
> Subject: Current ideas on kerberos requirements for Samba4
> Just a quick note to let a few more people know that I am putting
> together a rough text document describing various things about kerberos.
> I'm sure parts are just complete fiction, but I'm still new to many
> parts of this game. :-)
> The idea is to write down the special things Samba4 will need from
> GSSAPI/Kerberos libraries and KDC implementations, however we end up
> producing things.
> The current version (updated from SVN) is at:
> http://samba.org/ftp/unpacked/samba4/source/auth/kerberos/kerberos-
> notes.txt
> Andrew Bartlett
> -- 
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Student Network Administrator, Hawker College  http://hawkerc.net

PGP signature