[Samba] Changing password in PDC using a pre-hashed value

Emond Papegaaij emond.papegaaij at topicus.nl
Tue Nov 25 12:17:35 MST 2014 

Sorry for sending my previous mail directly to you, I keep on having trouble 
with GMail and mailing lists.

On Tuesday, November 25, 2014 04:18:04 PM you wrote:
> On 25/11/14 16:08, Emond Papegaaij wrote:
> > I've read some articles about Kerberos, and do have some questions
> > about it. From what I've read, Kerberos requires the client to be part
> > of the domain and the client application needs to support the
> > authentication scheme. Both are not possible in our case. For example:
> > I need to perform maintenance on a server, but only have my smartphone
> > (android or ios). I now need to somehow connect to the server using
> > RDP on my phone, but my phone is not in the domain, nor has the client
> > support for Kerberos. Another client that does not seem to support
> > Kerberos is Chrome, the browser used by most coworkers, especially
> > when running Ubuntu. Can I authenticate against a Kerberos service
> > from my Ubuntu laptop without installing and configuring kinit?
> 
> Oh come on, you cannot be serious, you cannot expect to properly
> administrate *any* server from a smartphone. =-O

I expect to be able to administrate any server on any system at any time. This 
quote from Wikipedia explains our problem quite nicely:

"Kerberos requires user accounts, user clients and the services on the server 
to all have a trusted relationship to the Kerberos token server (All must be 
in the same Kerberos domain or in domains that have a trust relationship 
between each other). Kerberos cannot be used in scenarios where users want to 
connect to services from unknown/untrusted clients as in a typical Internet or 
cloud computer scenario, where the authentication provider typically does not 
have knowledge about the users client system."

This one requirement eliminates Kerberos for us. We do not require our 
employees to join a domain, nor do I want to. Also, setting up trusted domains 
on several sites is simply a no-go. It's not what we want nor what we need.

> > Did I misunderstand Kerberos, or is this how it works?
> 
> Yes you have misunderstood Kerberos and yes it is how it works.

Even though terminology I use might not be entirely correct, I think I've got 
the big picture of the Kerberos protocol quite right. It's not going to solve 
our problem. At the moment, we've got two options left: Perhaps 
https://wiki.samba.org/index.php/Samba_%26_LDAP might help us. Our second 
option is storing the passwords using symmetrical encryption but letting the 
user store the key.

Best regards,
Emond Papegaaij

More information about the samba mailing list