Re: SPNEGO questions

From: Andrew Bartlett <abartlet@dont-contact.us>
Date: Thu, 20 Oct 2005 08:26:04 +1000

On Thu, 2005-10-20 at 00:11 +0200, Serassio Guido wrote:
> Hi Henrik,
>
> At 23.00 19/10/2005, Henrik Nordstrom wrote:
> >>Downloaded, compiled, and joined to the domain.
> >
> >Good.
>
> I have discovered that the machine account in the domain is not
> created correctly: the SPNs HOST/machine and HOST/machine.fqdn are
> not created. They are needed from the Kerberos KDC for the token distribution.
> So I have added manually the SPNs to the machine account.

Oh? It certainly should try to.

> >>But i like to do some test to verify is the basic membership is
> >>working, but ....
> >>- many configuration directive in smb.conf are changed
> >>- swat doesn't work
> >>- I can't find any documentation about Samba 4 smb.conf
> >
> >You shouldn't need much config at all for just authentication via winbind.
> >
> >It's probably best tested with ntlm_auth in it's different modes.
>
> Probably true. But I like to be sure that my Samba 4 interacts
> correctly with AD using Kerberos before try SPNEGO authentication.

The main thing you need to do to ensure ntlm_auth can read the
secrets.ldb (so it can get at the kerberos keys). As the samba4
winbindd matures, I'll look into ways to 'outsource' the checking of the
ticket.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

Received on Wed Oct 19 2005 - 16:26:14 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:07 MST