[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSO (Kerberos), samba and windows XP desktop
Pat Riehecky schrieb:
> For what my $0.02 are worth http://www.openinput.com/auth-howto/ may be
> a good resource for pointing you in a direction (right or wrong I cannot
> say)
Nope, thats not going to help. The basic problem is: You won't get a
ticket (with pac and all) for windows clients from a non AD KDC, period.
What you *can* do is join a windows client to samba4 and get a ticket
(been there, done that). To actually use the ticket for your services
you'd need other kerberized services and hence service principals in the
samba4 KDC. Haven't tried to do this, same for the possible cross-realm
/trust scenario.
hope I'm not totally off base here ;)
cheers
Paul
>
> Pat
>
> On Tue, 2007-04-10 at 10:42 -0700, Henry B. Hotz wrote:
>> As he says, you want Samba4.
>>
>> "I don't do Windows (TM)" However I think the login interface may
>> save your password for NTLM authentication, even if you log in to a
>> Kerberos Realm.
>>
>> That said, if you use Samba4, then you can configure it to run in the
>> same Kerberos Realm that you set up for login. You should be home
>> free at that point, with no passwords in Samba (and none needed).
>>
>> Don't ask me how to do any of this. I'm talking theory, not personal
>> experience. ;-)
>>
>> On Apr 9, 2007, at 10:09 PM, Stefan Gohmann wrote:
>>
>>> Hello,
>>>
>>> I don't think that is possible. As far as I know you must be a
>>> member in the
>>> samba domain. For a real SSO we need Samba4.
>>>
>>> Maybe it is possible, that you have in the samba enviornment the same
>>> usernames and passwords as in the keberos envirenment. But I don't
>>> think,
>>> that the Windows client will send the username/password as a
>>> fallback to the
>>> samba server when he did a kerberos logon.
>>>
>>> Cheers
>>> Stefan
>>>
>>> Am Freitag, 16. März 2007 22:26 schrieb Gustavo Rios:
>>>> Dear gentleman,
>>>>
>>>> I have managed to get my windows XP dekstop supporting kerberos
>>>> authentication. Within the logon interface, i select my kerberos
>>>> realm
>>>> domain and authentication is performed through it.
>>>>
>>>> Right now i am planning to incorporate this standalone box in a samba
>>>> domain. Since samba provides a domain by its own, i do not know how
>>>> retrieve only user information from the samba server and still
>>>> authenticating through kerberos. Because in order to do so, i am
>>>> required to select the samba domain within the logon interface.
>>>>
>>>> I would like a windows environment much like the unix system can have
>>>> the centralized user information managed by nis, but authentication
>>>> performed by a kerberos server. Is it possible?
>>>>
>>>> Thanks in advance.
>> ------------------------------------------------------------------------
>> The opinions expressed in this message are mine,
>> not those of Caltech, JPL, NASA, or the US Government.
>> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>>
>>
>