[Samba] samba,ldap and kerberos

Andrew Bartlett abartlet at samba.org
Sun Mar 21 21:45:15 GMT 2004

On Sun, 2004-03-21 at 23:33, Gémes Géza wrote:
> Hash: SHA1
> Andrew Bartlett írta:
> | On Sun, 2004-03-21 at 22:43, Gémes Géza wrote:
> |
> |>Hash: SHA1
> |>
> |>Andrew Bartlett írta:
> |>| On Fri, 2004-03-19 at 09:19, aarumuga arumugam wrote:
> |>|
> |>|>Hi Everybody,
> |>|>                We are integrating samba,kerberos and ldap
> |>|>samba-3.0.2a
> |>|>sun kerberos
> |>|>sun ldap
> |>|>all the three servers are on three different solaris machines.
> |>|
> |>|
> |>| In an unfortunate twist, Samba's kerberos support is *only* available
> |>| against active directory.  Even if you have somehow convinced your
> |>| windows client to talk kerberos against a unix KDC, Samba will only join
> |>| AD.
> |>
> |>OK that's understandable, but recently you have made some (Loriket)
> |>patches to Heimdal, and using them together with Heimdal's LDAP backend,
> |>would it be possible, to fool Samba into thinking that it joined AD, or
> |>Samba requires tickets containing MS PAC?
> |
> |
> | The heimdal patches were a different thing - in that case Samba is not
> | actually using Kerberos at all (but it is part of my plan to allow it).
> |
> | As to looking like AD, there is much more to AD than LDAP+kerberos.  But
> | that does not stop us making a good stab at making LDAP+Kerberos viable
> | for unix clients, which we have some control over...
> |
> OK, sorry for my quite confusing reply, what I was really interested in
> is if Samba as an AD client would use the information contained in MS
> PAC, or after getting the ticket would do an LDAP lookup, to get the
> authorization(SIDS)/account(HomeDrive,etc) informations?
> In the later case a correctly configured Heimdal/LDAP could simulate an
> AD (except MSRPC calls) for Samba (but not Windows :-( )

Actually, if you joined a Samba server to itself, with the current
snapshot Heimdal-LDAP, I think this would actually work!

(Due to a few quirks and other things....)

Samba does not actually use the PAC - it decodes it, but throws it
away.  I need to fix that, as it would assist greatly in some of the
AD-MIT trust issues. 

> Thanks,
> Geza
> P.S.
> My question could be reformulated: what is needed to have a UNIX AD (!)
> signs where work has to be done?
> - -LDAP with multimaster(!) replication

Done.  Samba would need to know some things about it, (it assumes a
single coherent master at this point), but OpenLDAP can do multi-master.

> - -Kerberos with LDAP backend, with NTLM hashes (Loriket) and MSPAC(!)

This bit is half-done already, as you know, we can upgrade a Samba SAM
into kerberos now.

> - -DNS with LDAP backend, and Kerberos authenticated updates(!)

This is interesting, but far from impossible.  Tridge has some code to
handle the client-side of this (in perl...).  I think there has been
other work too.

> - -DHCP server

There are DHCP-LDAP patches out there, and I know of sites that use

> - -NTP server

Easy :-)

> - -New MSRPC calls in Samba(!)

This is where most of the work is.

> - -Anything else?

The LDAP server must support the MS schema, and all the work that goes
on behind that.  

This is a lot of work, but we can start on this, and get useful 'unix'
functionality, even if it takes us longer to convince the windows
clients to go all the way.

The biggest problem is that, unlike Microsoft, in the Open Source arena,
there is nobody to bang heads together, to say 'you will make this
work'.  That means that we have nasty little situations, where some
projects might be used 'against their will'.  

To give you an example:  There are parts of the community that feel
particularly strongly wed to the standards their software implements.  A
perfectly reasonable position - except that MS cares not about fine
details of standards, and 'works with MS' and 'strict interpretation of
standards' are two very different things.  

Fortunately I have got very positive feedback from other parts of the
community - I was particularly pleased with the reaction from Heimdal,
and I intend to do more work there in future. 

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040322/0541101b/attachment.bin

More information about the samba-technical mailing list