Kerberos 4 and Samba as a NT PDC?

Wed Aug 2 22:37:02 GMT 2000

Hi Paul,

On Tue, 1 Aug 2000, Paul Greidanus wrote:

> Anyone worked with a combination of Samba (TNG, or 2.x) running as a PDC for
> a network of primarily NT workstations, with the passwords being
> authenticated back into a Kerberos IV database? or a Kerberos V?

> I'm trying to get this working so that I don't have to work with NT user
> accounts at my site, as I've got access to usernames and passwords through
> Kerberos.

If all you wanted was SMB sessions authenticated against Kerberos, that
wouldn't be too hard of a problem (although doing it Right might be another
matter).  But since you say you want this Samba machine to be a PDC, the
problem becomes much more difficult.

When a workstation authenticates to a PDC, it takes the password from the
user, encrypts it in NTLM format, and sends this (more or less securely) to
the server.  The server compares it with the NTLM-encrypted form of the
password that it has.

Kerberos, on the other hand, can be used for authentication in basically two
ways; one way (the preferred way for security) is third-party authentication
against the KDC.  Since this would require sending a Kerberos ticket across in
the SMB authentication sequence, it's pretty much out of the question, unless
you're prepared to modify the SMB support on all of your NT workstations.  The
other way to authenticate against a Kerberos database, the method used by PAM
modules and the like, is to pass the plaintext password to the server, and let
the server check if it can decrypt a TGT (ticket-granting-ticket) for the
user with the password it was given.

The problem then is, how do you get the cleartext password to the server?  If
you aren't using domain security, it can be done by turning on the cleartext
password option in your client registry; but with domain security, all you'll
ever get is the NTLM hash.

One option would be to use the NTLM hash as the key for encrypting user
tickets, instead of the plaintext password; but if your Kerberos database is
used for other things, then this isn't feasible either.

If you really need this to work, then you have three options...

1) back off the NT domain support, and do plaintext password authentication
against the Samba server (which will then authenticate against the KDC).  This
will cost you the security of the NT domain model.

2) use NTLM hashes in your KDC instead of plaintext passwords.  This will cost
you interoperability with existing Unix programs deployed on your network.

3) upgrade all of your NT workstations to Win2k.  God knows what /that/ will
cost you, and I'm not sure this would even work with Samba at this point.

Not the answer you were looking for, I'm sure, but I hope it at least
helps you frame the problem.

Steve Langasek
postmodern programmer