[PATCH] ADS changes for joining accounts w/o full Administrator
rights
Antti Andreimann
Antti.Andreimann at mail.ee
Tue Feb 11 18:55:49 GMT 2003
Ühel kenal päeval (teisipäev, 11. veebruar 2003 13:39) kirjutas Andrew
Bartlett:
> > I'm not quite convinced about this. I'm quite willing (but see below)
> > to apply the rest of this patch, but I'll need a good explanation of
> > what this patch does.
Well, It's purely because our internal needs but I think this could be useful
for other people as well.
Consider the following situation:
You have a kerberos realm that holds all the user accounts (COMPANY.COM)
Now You have an ADS server (AD.INTERNAL) that is set up to trust that realm.
All users are replicated in ADS, but their passwords remain in kerberos. This
is the standard method of getting kerberos and AD to play nicely with each
other.
Now if I configure samba to use ADS It should be configured to be part of the
realm AD.INTERNAL right? Therefore all users from COMPANY.COM are considered
as being from foreign realm and their usernames take a form like
"COMPANY.COM/username". This would be OK, if those users are in fact from
foreign realm, but in this kind of configuration where You are using kerberos
for authentication and AD merely acts as a bridge for Windows users, You want
Your Linux server to be part of the main kerberos realm (COMPANY.COM) and use
normal usernames (username instead of COMPANY.COM\username).
You cannot configure samba to be part of COMPANY.COM realm because in this
case samba tells clients that they should obtain tickets like
servername$@COMPANY.COM that Your primary kerberos is likely not to grant and
also Windows clients will actually ignore this and ask the ticket from AD
kerberos anyway. So the best way in my opinion is to add a configuration
option that allows one to define additional realms that are considered
"local", that is when a user from that realm connects, the realm is not added
to the username. This is what my patch does. In addition to checking if
incoming user is from primary realm (defined in smb.conf as realm =
SOMETHING) it also checks if it is from one of the realms mentioned via
"local realms" configuration option.
Ok, this could also be achieved by Samba to Unix user mapping table (smbusers)
but it will be a massive administrative overhead if You have to maintain
those tables on all samba servers.
> > We need patches to be against current CVS - the patch does not apply
> > cleanly at present.
I am really sorry about this. I do not have direct access to CVS from work. I
know it's bad in the long run anyway so Im working on resolving that issue
but until it's not resolved I'm sitting kinda in darkness.
> I've cleaned up the patch (attached, for reference), and removed the
> session-setup changes for now.
Thanx a lot. I owe You one ;)
> need two copies. Also, you need to be careful to copy the attribution
I gave it some thought and I decided to duplicate the code for two reasons.
I'm just not that familiar with samba code, maybe those issues can be
resolved in a snap and in this case the duplication is of course needless.
1. The prototype generator does not generate prototypes for functions that
return krb5_error so I would of had to add the decalration into ads.h or
wherever manually. This I think breaks the spirit of sambas' header files
since I hardly saw any function prototypes in headers and I was too much of a
wuss to change the prototype generation script, since who knows what other
prototypes will get generated if I add krb5_error to the list ;)
2. At least one client program (I do not remember which) was not linked
against libads. Maybe it should be, but since it was the first one I tried to
link and it failed, I backed off on trying to make kerberos_prompter global.
> with the code. You may also add your personal copyright, if you feel
> that way inclined.
I'm sorry again. I'ts entirely my fault. I did some cleanups in comments like
the mentioning of correct internet drafts in kpasswd code and I guess I just
blindly removed the last two lines of comments before kerberos_prompter,
without looking at the author's notice. Sorry.
As You could see I did not add any copyright lines of my own and I do not plan
to, since those are only minor improvements and I can give the entire
copyright up to the samba project.
--
Antti Andreimann
Using Linux since 1993
Member of ELUG since 29.01.2000
More information about the samba-technical
mailing list