From owner-freebsd-questions@FreeBSD.ORG Fri Mar 28 23:44:46 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D08A4A93 for ; Fri, 28 Mar 2014 23:44:46 +0000 (UTC) Received: from mail-ie0-x22e.google.com (mail-ie0-x22e.google.com [IPv6:2607:f8b0:4001:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A310A5EA for ; Fri, 28 Mar 2014 23:44:46 +0000 (UTC) Received: by mail-ie0-f174.google.com with SMTP id rp18so5680949iec.19 for ; Fri, 28 Mar 2014 16:44:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=mtZTEHyfTV5itC8/C0NnyyDnV4R4oVs2zesCUga1uMI=; b=FXJ6BML/YFEeOMS0mMaKLXh7YM0jSB4CWf8wV1WYpYnaUbclWqNjaslgco6eaeURfK nF2okSnIEW+wyC6UGxL+9QHOMbjqg3rd3RoQOhCcd3HSqr3owFAVrkg7HkElbydHAFcZ hbUSnM4XPzIra/wdog9JCoYVEzmeRSe9BduRHliR/Q2F3/oZItqbqfRup1OBZ3dWI8jh mZxqVpjQEuQ8lMq2aOaGdTkeqegA51bJFjB1psXwUkaDYKTYXaq/9Luz7PVEryykOjJt C/6yEJtAv2Z+ZeR3WeUevHbEEwdZ1bSbUcs2wBV8BGSowmxQYus2FfSzjSAD5hHvZvwv Se1A== MIME-Version: 1.0 X-Received: by 10.50.253.70 with SMTP id zy6mr41189037igc.28.1396050285605; Fri, 28 Mar 2014 16:44:45 -0700 (PDT) Received: by 10.43.47.137 with HTTP; Fri, 28 Mar 2014 16:44:45 -0700 (PDT) Date: Fri, 28 Mar 2014 16:44:45 -0700 Message-ID: Subject: Using Kerberos to authenticate users From: Chris Stankevitz To: freebsd-questions Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2014 23:44:46 -0000 Hello, Please consider this theoretical scenario: 1. I have a FreeBSD running samba to allow people on windows computers to read/write files on the hard drive. 1a. I create several users (and passwords) on the FreeBSD system. 1b. Windows users have to enter a "FreeBSD username" in order to access the share. 1c. Windows users have to enter the corresponding "FreeBSD password" in order to access the share. 1d. File permissions, enforced by the file system, are based on the "FreeBSD username". 2. I have configured kerberos according to handbook section 14.5.4 such that "kinit" can be used to "get a windows domain ticket" for a particular Windows domain user. Question: Is it possible to modify my setup such that: 3. I manually add "FreeBSD usernames" to the system such that each new username is identical to a username on the "windows domain" [A: yes, of course this is possible] 4. Step (1c) is modified such that the user can type his "Windows domain password" in order to access the share. 5. Step (1d) still applies If this is possible, please share with me the keywords and I will be happy to read more about it in the FreeBSD handbook or man pages. Thank you! Chris