Hallo to everybody, I want to configure a samba3 server that authenticates users via our Windows ADS server (secutrity=ADS) in smb.conf. The whole setup works fine when I use NFS version3 to mount the user directories from our NFS server. The samba server is joined into our Windows ADS domain "ADSREALM.UNI-KOBLENZ.DE".
Now I want to replace NFS3 by NFS4/kerberos with a MIT kerberos Server running on a linux machine serving a "LINUXREALM.UNI-KOBLENZ.DE" realm that is different from the ADS server realm "ADSREALM.UNI-KOBLENZ.DE". The basic setup also works fine, ie on the samba server I can mount the user directories with sec=krb5 and access the data if I am root on the samba server. When I try to access a users file located on NFS as a particular user I get a permission denied, since I did not authenticate as this user and this user has no tgt. Whats missing is how to marry the MIT kerberos server holding the machine keytab for nfs, with the windows ADS server managing the user authentication. So how can I tell the MIT kerberos server to "ask" the ADS server if a smb process wants to access a user directory? My idea was to create a realm trust between the ADSREALM.UNI-KOBLENZ.DE and LINUXREALM.UNI-KOBLENZ.DE. So our Windows admin created a (two way) realm trust for my linux kerberos server and on this machine I created a principal "krbtgt/linuxrealm.uni-koblenz...@adsrealm.uni-koblenz.de" with the same password that was used on the windows side. Additionally I added auto_to_local rules to map principal names to simple account names (remove all after the "@"). Now on the samba server I can run a kinit u...@adsrealm.uni-koblenz.de and authenticate with the password of "user". Now if I try to connect a network drive from a windows machine using my samba server, the network drive can be connected but Windows immedeately reports an "access denied" error, and I cannot access the attached network drive at all. At the moment I do not understand whats going wrong. I guess that the trust does not work as expected but how can I find out more, debug whats happening? I also do not knnow if my basic idea of using a realm trust is well suited for my problem or if perhaps another solution would be much better. Does anyone already have a running setup of my kind where samba authenticates users via ADS and NFS4 access is granted via another kerberos server? Anyone an idea what might go wrong with my setup. Thanks a lot in advance for any help Rainer -- Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312 PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 1001312
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
