[XAD] Re: Kerberos v5 release 1.1, OpenLDAP 1.2.8, and samba 2.1.0 as an NT Domain Controller

[Nicolas Williams]

[[NOTE: openldap list removed from Cc: list]]

On Tue, Dec 14, 1999 at 11:05:36AM +1100, Luke Howard wrote:
> 
> G'day,
> 
> >1.  Could the KDC store it's database in the LDAP directory?
> 
> Yes. Indeed, this was the reason we implemented the domain socket
> transport for OpenLDAP. There's still a lot of work to be done
> to implement this, though.
> 
> >2.  Could the LDAP directory require Kerberos v5 authentication before
> >allowing a user/service access to the directory?
> 
> In principle (pun not intended!), yes. However, OpenLDAP still requires
> support for the GSS-API SASL mechanism in order to do this in the
> "correct" manner. Netscape's Directory Server supports this mechanism
> with an appropriate plugin, and OpenLDAP will eventually support SASL
> authentication using the Cyrus SASL library.
> 
> >3.  Would a user first need a TGT, then request authentication from the
> >samba server, which in turn would check the LDAP directory for a match?
> 
> W2K clients use a complicated mix of Kerberos, LDAP, and RPCs for
> authentication and authorization. Check out:
> 
> http://www.microsoft.com/security/resources/brundrett.asp

I just read that doc.

It seems that when using NTLM for authentication NT services will fetch
the user's profile from the DC for impersonation.

It seems that when using Kerberos5 for authentication NT services will
use the user's profile if attached to the kerberos5 ticket, or, if the
profile data is not in the ticket, impersonation is disabled.

Is that a correct reading of that document?

If so, why the difference in behaviour? If the profile is not in the
krb5 ticket, why not query a DC for it as is done when using NTLM? Is
the issue one of mapping krb5 principals to ActiveDirectory objects when
the KDC is a non-ActiveDirectory KDC?

> for some interesting reading. That said, I believe SAMBA supports LDAP
> now as a backend to its pre-W2K domain controller service.
> 
> >2. Configure Kerberos server --with-LDAP so that the Kerberos database is
> >stored in the LDAP directoy, and kerb password changes, etc. are made to the
> >LDAP directory (if that's what the --with-ldap option actually does for
> >kerb1.1--if not, what does it do?)
> 
> I wasn't aware of this -- I'm curious to know more.
> 
> 
> regards,
> 
> 
> -- Luke
> 
> --
> 
> ___________________________________________________________________________
> luke howard                                                  lukeh at PADL.COM 
> PADL software pty ltd                                   http://www.PADL.COM


Nico
--
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.