[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Current ideas on kerberos requirements for Samba4
"Wachdorf, Daniel R" <drwachd@sandia.gov> writes:
> I have a question regarding this. I submitted a bug on this a while back but it got closed due to lack of a fix.
>
> What if you have an environment where SMB clients will be from a kerberos
> realmA will be accessing a SAMBA share using kerberos auth which is a
> member of realmB. Testing of 3.0 revaled that SAMBA had a problem
> mapping the principal user@realmA into a username.
>
> Do you think adding a local_name support (much like
> krb5_aname_to_localname in MIT) to translate username kerberos principals
> of non-local kerberos realms into local account names.
Isn't this done with the Name Mapping ldap attribute
(altSecurityIdentities), samba doesn't support this, so use use a local
patch that adds a hard mapping between our Kerberos realm (heimdal) and AD.
Love
>
> -dan
>
>
> -----Original Message-----
> From: krbdev-bounces@mit.edu on behalf of Andrew Bartlett
> Sent: Mon 5/16/2005 9:36 AM
> To: krbdev@mit.edu; heimdal-discuss@sics.se; samba-technical@samba.org
> Cc: Michelle Escalante
> Subject: Current ideas on kerberos requirements for Samba4
>
> Just a quick note to let a few more people know that I am putting
> together a rough text document describing various things about kerberos.
> I'm sure parts are just complete fiction, but I'm still new to many
> parts of this game. :-)
>
> The idea is to write down the special things Samba4 will need from
> GSSAPI/Kerberos libraries and KDC implementations, however we end up
> producing things.
>
> The current version (updated from SVN) is at:
> http://samba.org/ftp/unpacked/samba4/source/auth/kerberos/kerberos-
> notes.txt
>
> Andrew Bartlett
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Student Network Administrator, Hawker College http://hawkerc.net
PGP signature