FW: Kerberos 5 with Samba, Can you help?

Neulinger, Nathan R. nneul at umr.edu
Tue Sep 21 15:39:52 GMT 1999


fyi.

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul at umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216


-----Original Message-----
From: Richard Kandarian [mailto:richard.kandarian at lanl.gov] 
Sent: Monday, September 20, 1999 2:11 PM
To: Nathan Neulinger
Subject: Re: Kerberos 5 with Samba, Can you help?


Nathan,

Thanks for your reply.

I guess most of my problem was just trying to learn it too fast. I got it
working in security = share mode with the NT clients set up to send
passwords in the clear. I made a little patch to allow krb5 authentication
of the mapped_from userid since I wanted to map most of the users to a
single username on the server. Once I went through smb.conf.5 thoroughly I
found I would make things work really well, much better than with NFS. I've
attached my patch. If you aren't the proper person to send it to maybe you
could forward it for me.

Thanks.

-At 09:03 PM 9/4/1999 -0500, you wrote:
>Sorry I haven't gotten back to you... 
>
>I've had tremendous trouble with IRIX and alot of things, but basically,
>all the code that matters is in source/passdb/pass_check.c. 
>
>I've got local patches that make it work with aklog as well, but other
>than that I'm pretty much running the same code.
>
>You might take a look at config.h and make sure that KRB5_AUTH was
>defined. That will tell you. You can also try adding some debugging to
>pass_check.c, since it currently doesn't say anything about kerberos in
>the logs.
>
><more below>
>
>Richard Kandarian wrote:
>> 
>> Nathan,
>> 
>> I'd really like to use Samba (smbd) on my SGI IRIX 6.4 server with
kerberos
>> V5 authentication. The server is already setup to use kerberos
>> authentication and that is working with all but Samba. I turned on the
krb5
>> stuff in the makefile and it compiled fine except for a warning about not
>> using ldes425 (maybe it DID get used somewhere that I didn't notice since
a
>> lot of the executables didn't use any of the special libs for krb). I've
>> tried running smbd -D -d 10 -s /etc/smb.conf and the logs don't mention
>> kerberos at all. The docs mention it but barely.
>> 
>> This is my config file:
>> 
>> [global]
>>   workgroup = WORKGROUP
>>   server string = CAD_HOST
>>   hosts allow = 128.165.
>>   log file = /var/log/samba/log.%m
>>   max log size = 50
>>   security = share
>>   socket options = TCP_NODELAY
>>   preserve case = yes
>>   case sensitive = no
>>   encrypt passwords = Yes
>>   wins server = 128.165.195.13
>> 
>> [PTC]
>>   comment = ESA-DE PTC Pro/E Q: drive
>>   path = /apps/ptc
>>   public = no
>>   writable = no
>>   printable = no
>> 
>> There are no complaints about this config in the log files except that it
>> seems to be insisting on using /usr/private/smbpasswd.
>> 
>> One reason to use kerberos is to avoid having a /usr/private/smbpasswd
>> file. Another is that I would like to use a one-time password card. This
>> works with our (LANL) version of sshd which obtains a kerberos ticked
while
>> authenticating the user of the ssh client. I suspect that I'm asking
samba
>> to do something it's not designed to do: get the one time password from
the
>> client and authenticate the user by getting a kerberos ticket the way our
>> sshd does. Is this correct? Does the smb client have to have a ticket
>> already? I can get a kerberos ticket on my NT machine but I don't see any
>> way to use it while mapping a drive from the samba server. I'd like to
>> avoid recreating accounts on my samba server. I'd rather just take
>> advantage of the accounts on the KDC my server uses.
>
>No, the server would get the ticket on behalf of the client. I will
>point out though - you seem to be security conscious using
>ssh/kerberos/etc. - the password validation in samba using kerberos is
>still sending the passwords over the wire in cleartext.
>
>-- Nathan
>
>> 
>> Please help if you can
>> 
>> Thanks
>> 
>> Richard Kandarian
>> http://www.lanl.gov/cgi-bin/fonelink.pl/085598
>> UNIX is software. M$ Windows is hardware implemented in software.
>> When M$ says 'embrace and extend', what does that bring to mind?
>> A huge boa constrictor?
>> Save the world from M$ tyranny - embrace and extend LINUX before M$ does.
>
>-- 
>
>
>------------------------------------------------------------
>Nathan Neulinger                       EMail:  nneul at umr.edu
>University of Missouri - Rolla         Phone: (573) 341-4841
>Computing Services                       Fax: (573) 341-4216
> 

-------------- next part --------------
--- password.c	Mon Sep 13 14:13:07 1999
+++ ../password.c	Thu Sep 16 08:33:40 1999
@@ -800,6 +800,9 @@
 /****************************************************************************
 core of password checking routine
 ****************************************************************************/
+#ifdef KRB5_AUTH
+extern pstring mappedfrom_user;
+#endif
 BOOL password_check(char *password)
 {
 
@@ -825,6 +828,7 @@
 #endif 
 
 #ifdef KRB5_AUTH
+  if (*mappedfrom_user && krb5_auth(mappedfrom_user,password)) return(True);
   if (krb5_auth(this_user,password)) return(True);
 #endif
 
--- username.c	Mon Sep 13 14:13:11 1999
+++ ../username.c	Mon Sep 13 16:03:44 1999
@@ -44,6 +44,11 @@
 map a username from a dos name to a unix name by looking in the username
 map
 ********************************************************************/
+
+#ifdef KRB5_AUTH
+pstring mappedfrom_user="";
+#endif
+
 BOOL map_username(char *user)
 {
   static BOOL initialised=False;
@@ -67,6 +72,10 @@
 
   if (strequal(user,last_to))
     return False;
+
+#ifdef KRB5_AUTH
+  fstrcpy(mappedfrom_user, user); /* save kerberos principal name */
+#endif
 
   if (strequal(user,last_from)) {
     DEBUG(3,("Mapped user %s to %s\n",user,last_to));
-------------- next part --------------

Richard Kandarian
http://www.lanl.gov/cgi-bin/fonelink.pl/085598
UNIX is software. M$ Windows is hardware implemented in software.
When M$ says 'embrace and extend', what does that bring to mind?
A huge boa constrictor?
Save the world from M$ tyranny - embrace and extend LINUX before M$ does.
http://www.computerworld.com/home/news.nsf/all/9908102sgireorg2


More information about the samba mailing list