[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSO (Kerberos), samba and windows XP desktop *

On Apr 10, 2007, at 7:51 PM, Andrew Bartlett wrote:

> On Tue, 2007-04-10 at 10:42 -0700, Henry B. Hotz wrote:
>> As he says, you want Samba4.
>> "I don't do Windows (TM)"  However I think the login interface may
>> save your password for NTLM authentication, even if you log in to a
>> Kerberos Realm.
>> That said, if you use Samba4, then you can configure it to run in the
>> same Kerberos Realm that you set up for login.  You should be home
>> free at that point, with no passwords in Samba (and none needed).
> Sorry, it doesn't quite work like that.  Samba will then be your KDC,
> powered by our copy of Heimdal.

Hmmm.  No way to support a non-Samba KDC?  I know you've said you  
want to provide a complete package to people, but there are other  
people (like me) who have a different infrastructure in place.

Cross-realm trusts that don't correspond to DNS domains are really  
cumbersome to make work.  Still, if nothing else, couldn't you run  
the Samba copy of Heimdal with the Samba service itself as content?   
All users would come from your primary Kerberos service.  This is the  
documented Microsoft way of supporting non-Microsoft Kerberos realms.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu