On Wed, 2007-04-11 at 11:14 -0700, Henry B. Hotz wrote: > On Apr 10, 2007, at 7:51 PM, Andrew Bartlett wrote: > > > On Tue, 2007-04-10 at 10:42 -0700, Henry B. Hotz wrote: > >> As he says, you want Samba4. > >> > >> "I don't do Windows (TM)" However I think the login interface may > >> save your password for NTLM authentication, even if you log in to a > >> Kerberos Realm. > >> > >> That said, if you use Samba4, then you can configure it to run in the > >> same Kerberos Realm that you set up for login. You should be home > >> free at that point, with no passwords in Samba (and none needed). > > > > Sorry, it doesn't quite work like that. Samba will then be your KDC, > > powered by our copy of Heimdal. > > Hmmm. No way to support a non-Samba KDC? I know you've said you > want to provide a complete package to people, but there are other > people (like me) who have a different infrastructure in place. Well, the experience of building Samba4 has been that a vanilla KDC isn't able to do the things that Samba4 needs (PAC, etc). > Cross-realm trusts that don't correspond to DNS domains are really > cumbersome to make work. Still, if nothing else, couldn't you run > the Samba copy of Heimdal with the Samba service itself as content? I'm not quite sure what you mean here... > All users would come from your primary Kerberos service. This is the > documented Microsoft way of supporting non-Microsoft Kerberos realms. I've just not looked into this yet, but it sounds hairy. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com
This is a digitally signed message part