[Samba] Samba + (LDAP + Kerberos V)

Gémes Géza geza at kzsdabas.sulinet.hu
Wed Oct 20 20:46:36 GMT 2004 

Matt Joyce írta:

> Gémes Géza wrote:
>
>> Matt Joyce írta:
>>
>>> So like at least a handful of people before me I have begun the 
>>> valiant stugle to unify logins at my place of business.
>>>
>>> I have setup a test LDAP + Kerberos V cluster.
>>>
>>> And I have Setup a test Samba 3 PDC.
>>>
>>> What I would like to do is get Samba to handle kerberos ticket 
>>> granting and authentication to the (LDAP + Kerberos V) Directory.  
>>> Such that Windows is completely unaware of the existence of 
>>> Kerberos.  And, also such that I don't have to keep samba domain 
>>> passwords in ldap and sync them to kerberos in some sort of bizarre 
>>> otherworldly failure in authentication unification.
>>>
>>> (Pardon my attempts at prose I am working on 3 hours of sleep)
>>>
>>> The question is really one of what you might suggest in terms of a 
>>> design, particularly if you have tried and/or done this in the past.
>>>
>>> I have heard at least with samba 2 what I am trying is impossible.  
>>> Not sure with Samba 3.  I am wondering if the Active Directory 
>>> support can be employed to my benefit in this manner.
>>>
>>
>> You can read more about it at:
>> https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap
>>
>>
>>> Now, assuming the worst and samba is incapable of handling kerberos 
>>> tickets, and assuming i manage to handle tickets in ldap itself.... 
>>> I can authenticate LDAP Sambe users of Kerberos without having to 
>>> keep a synced password db correct?
>>>
>>> -Matt
>>
>>
>>
>> Cheers
>>
>> Geza
>>
> yeah thats almost decent documentation for ldap + kerberos but says 
> absolutley nothing about samba 3.
>
>
That's very easy to explain, because if you follow it you will have your 
kerberos using the Samba' MD4 password hash, and so all of your *nix and 
windows machine will use the same password. However as Samba3 is able to 
emulte an NT4 DC, Windows clients don't try, nor are succesfull in using 
kerberos against it. So you can have something like in the following 
ASCII graphic:
_______________                                     
_______________                                             ______________
|                      |                                    
|                       |                                            
|                      |
|                      |---------------------------->|       LDAP       
|<----------------------------------|    Samba      |
|                      |                                    
|_______________|                                           |______________|
|       *nix        |                                                  
^                                                                 ^
|      client       |                                      
_______|_______                                              ______ |_______
|                      |                                    
|                       |                                             
|                      |
|                      |---------------------------->|    Heimdal     
|                                             |  Windows     |
|______________|                                    
|______________|                                              |     
client       |
                         
                                                                                                          
|______________|

Hope this helps to clarify the situation in a pre-Samba4 world.

Cheers,

Geza

More information about the samba mailing list