[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSO (Kerberos), samba and windows XP desktop *

On Wed, 2007-04-11 at 11:14 -0700, Henry B. Hotz wrote:
> On Apr 10, 2007, at 7:51 PM, Andrew Bartlett wrote:
> > On Tue, 2007-04-10 at 10:42 -0700, Henry B. Hotz wrote:
> >> As he says, you want Samba4.
> >>
> >> "I don't do Windows (TM)"  However I think the login interface may
> >> save your password for NTLM authentication, even if you log in to a
> >> Kerberos Realm.
> >>
> >> That said, if you use Samba4, then you can configure it to run in the
> >> same Kerberos Realm that you set up for login.  You should be home
> >> free at that point, with no passwords in Samba (and none needed).
> >
> > Sorry, it doesn't quite work like that.  Samba will then be your KDC,
> > powered by our copy of Heimdal.
> Hmmm.  No way to support a non-Samba KDC?  I know you've said you  
> want to provide a complete package to people, but there are other  
> people (like me) who have a different infrastructure in place.

Well, the experience of building Samba4 has been that a vanilla KDC
isn't able to do the things that Samba4 needs (PAC, etc).  

> Cross-realm trusts that don't correspond to DNS domains are really  
> cumbersome to make work.  Still, if nothing else, couldn't you run  
> the Samba copy of Heimdal with the Samba service itself as content?   

I'm not quite sure what you mean here...

> All users would come from your primary Kerberos service.  This is the  
> documented Microsoft way of supporting non-Microsoft Kerberos realms.

I've just not looked into this yet, but it sounds hairy.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

This is a digitally signed message part