[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSO (Kerberos), samba and windows XP desktop





paul@subsignal.org wrote:
> Pat Riehecky schrieb:
>> For what my $0.02 are worth http://www.openinput.com/auth-howto/ may be
>> a good resource for pointing you in a direction (right or wrong I cannot
>> say)
> Nope, thats not going to help. The basic problem is: You won't get a
> ticket (with pac and all) for windows clients from a non AD KDC, period.

Well... If your non AD realm has cross realm trust to an AD, you can get
a PAC. If the user principal is in the non AD realm, and the Windows
server (which could be the local machine) is in the AD realm, and the
the user has an AD account which says trust the Kerberos realm for 
authentication, the service ticket will have a PAC.

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx

section "Creating Account Mappings"

(But he does not have AD so this is a must point, but one someone else
might useful.)

> 
> What you *can* do is join a windows client to samba4 and get a ticket
> (been there, done that). To actually use the ticket for your services
> you'd need other kerberized services and hence service principals in the
> samba4 KDC. Haven't tried to do this, same for the possible cross-realm
> /trust scenario.
> 
> hope I'm not totally off base here ;)
> 
> cheers
>  Paul
> 
>> Pat
>>
>> On Tue, 2007-04-10 at 10:42 -0700, Henry B. Hotz wrote:
>>> As he says, you want Samba4.
>>>
>>> "I don't do Windows (TM)"  However I think the login interface may  
>>> save your password for NTLM authentication, even if you log in to a  
>>> Kerberos Realm.
>>>
>>> That said, if you use Samba4, then you can configure it to run in the  
>>> same Kerberos Realm that you set up for login.  You should be home  
>>> free at that point, with no passwords in Samba (and none needed).
>>>
>>> Don't ask me how to do any of this.  I'm talking theory, not personal  
>>> experience.  ;-)
>>>
>>> On Apr 9, 2007, at 10:09 PM, Stefan Gohmann wrote:
>>>
>>>> Hello,
>>>>
>>>> I don't think that is possible. As far as I know you must be a  
>>>> member in the
>>>> samba domain. For a real SSO we need Samba4.
>>>>
>>>> Maybe it is possible, that you have in the samba enviornment the same
>>>> usernames and passwords as in the keberos envirenment. But I don't  
>>>> think,
>>>> that the Windows client will send the username/password as a  
>>>> fallback to the
>>>> samba server when he did a kerberos logon.
>>>>
>>>> Cheers
>>>> Stefan
>>>>
>>>> Am Freitag, 16. März 2007 22:26 schrieb Gustavo Rios:
>>>>> Dear gentleman,
>>>>>
>>>>> I have managed to get my windows XP dekstop supporting kerberos
>>>>> authentication. Within the logon interface, i select my kerberos  
>>>>> realm
>>>>> domain and authentication is performed through it.
>>>>>
>>>>> Right now i am planning to incorporate this standalone box in a samba
>>>>> domain. Since samba provides a domain by its own, i do not know how
>>>>> retrieve only user information from the samba server and still
>>>>> authenticating through kerberos. Because in order to do so, i am
>>>>> required to select the samba domain within the logon interface.
>>>>>
>>>>> I would like a windows environment much like the unix system can have
>>>>> the centralized user information managed by nis, but authentication
>>>>> performed by a kerberos server. Is it possible?
>>>>>
>>>>> Thanks in advance.
>>> ------------------------------------------------------------------------
>>> The opinions expressed in this message are mine,
>>> not those of Caltech, JPL, NASA, or the US Government.
>>> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>>>
>>>
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444