[Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx,without microsoft ADS)

Yura Pismerov ypismerov at tucows.com
Fri Nov 1 21:29:00 GMT 2002 

Jonathan Higgins wrote:
> 
> A few more questions and comments... related to this topic
> 
> If Kerberos is the back-end to LDAP.. there is no need to synchronize or store a >password in the LDAP tree.. just the principal for the user in the userpassword >attribute: userpassword = {kerberos}name at domain

	That is correct. I did not mean sync between Kerberos and LDAP, I mean
sync between Kerberos and Samba passwords stored in LDAP. 


> 
> in the smb.conf file do I need stuff like this?
> Unix password sync = yes
> passwd program = /some-path/to-a/script-which/synchronize-kerb-smb %u

	Yes. 

> 
> in this program "synchronize-kerb-smb"
> %u is the username and comes in as an argument, then request the password and read it >in from STDIN.. ... then run a smbpasswd %u feeding the password.. and  then get a >valid user/admin ticket using kinit for an account validated by a keytab .. then run >kadmin.local -q 'cpw -pw $password $username' to synchronize with Kerberos

Easier (not yet more secure though) way is creating a separate Kerberos
principal with permissions for password change, saving the key (with
ktadd -k "file") in separate keytab and using the key with kadmin -k -t
/path/keytab -p "principal_name". Then "cpw user at DOMAIN" will change
password for the user. The cpw command can be passed to kadmin via
expect script or via STDIN (less secure though).


> 
> this has the potential to work(I think)but... im missing a few parts.. can a script >like this synchronize passwords when they are forced to change their password at the >client level.. say expire the users password?  And what happens if they change there 


Kerberos has his own password expiration mechanizm. You can write a
script tha will 
scan prinipals in KDC, extract password expire dates and compare it with
current date.
Then, let's say 5 days before the expiration, it can start sending
notifications to users. The warning message can contain a link to a
webpage for the password change.


>password using kpassword.. that has the potential to unsyncronize the passwords..

Yes, if user changes password with kpassword, there is no way to
synchronize it with Samba password. So users must be instructed to use
either standard Windows way to change the passwords, or a webpage. The
CGI script will take care of changing passwords in Kerberos and Samba
(via smbldap utilities, for example) realms.

> 
> Also.. what about the adding machines trusts to the samba domain?.. I've seen where people use the:
> add user script = /some/adduserscript -n -g machines -c Machine -d /dev/null -s /bin/false $m$
> 
> is there any way to change the LDAP suffix before adding a machine to the LDAP tree?.. >In my current setup I have all users in an ou=people area.. and so my LDAP suffix = >"ou=people, dc=domain".. but I don't want to add machines to this container.. I would >rather put them in something like "ou=hosts, dc=domain"..

	Yes, you can do it with the mentioned smbldap scripts where People and
Computers DNs can be configured. Then you use add user
script=/path/smbldap-useradd.pl -w %m$
	

> I have many more questions.... but don't want to change the topic too much...

	:)

> 
> Jonathan Higgins
> Network Service Specialist IV
> jhiggins at kennesaw.edu
> 
> >>> Yura Pismerov <ypismerov at tucows.com> 10/31/02 07:38PM >>>
> 
> Here what you could use:
> 
> LDAP with Kerberos password backend.
> Samba 2.2.6 PDC with LDAP backend.
> 
> Windows passwords are stored in LDAP in samba object, not in Kerberos
> KDC since they use incompatible encryption methods.
> 
> Use Kerberos passwords as primary source and synchronize Windows
> passwords with them when user changes his password or administrator
> reset it.
> 
> This setup will allow to use the same password across the board for Unix
> shell access and email (via pam_ldap, nss_ldap and pam_krb5) and for
> Windows access (via Samba PDC), and the same name space will be used
> everywhere (via LDAP), so no mapping needed.
> 
> Of course it will require quite a few scripts to synchronize passwords,
> create users in LDAP and Kerberos, etc. But it works...
> 
> 
> 
> Yongjun Rong wrote:
> >
> > Hi, Andrew,
> >    Thank you very much for your answer.
> >    Now our case is as below:
> >    1, our client machine is the windows 2000
> >    2, We want our Kerberos run in the Unix box.
> >    3, We also want the samba as PDC for all windows user and machine.
> >    4, We want integrate the Kerberos Authentication with samba authentication.
> >    So in this situation, can we get the kerberos login from the windows 2000 client
> > because the windows 2000 is support kerberos authenctication. If it can, where can I
> > start?
> >    I have already setup the environment for windows 2000 client auhtenticating
> > himself to the Kerberos Realm in the Solaris and authenticate the samba domain user
> > to the local windows 2k machine. But this two cases are seperated from each other
> > which means the kerberos authentication use the kerberos password and samba PDC
> > authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the
> > kerberos user to the local or samba domain user and then do the authentication to
> > the kerberos. So we really want is, when we do the samba PDC authentication we can
> > use the kerberos password. I don't know if it right. PLS correct me .
> >   Thank you very much.
> >   John
> >
> > ---- Original Message ----
> > From:           Andrew Bartlett
> > Date:           Mon 10/28/02 17:24
> > To:             Yongjun Rong
> > Cc:             abartlet at samba.org
> > Subject:        Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS)
> >
> > Yongjun Rong wrote:
> > >
> > > Hi, Andrew,
> > >    This is John from Texas Tech University.I have read your reply about samba and
> > > kerberos. May I ask you some question about samba and Kerberos.
> > >    1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris)
> > > as the authentication services and store samba user and passwd in the kerberos
> > > database directly but not using OpenLDAP?
> >
> > If you can get the clients to send you a kerberos login without using
> > ADS, then the modification is realitivly simple, and is part of the work
> > towards an Active Directory replacement.
> >
> > >    2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS.
> > > Where can start to change the source to enable the support for MIT or SEAM in
> > > solaris? How can I do it? I have download the source of samba3.0alpha20. And I also
> > > have configure the samba as a PDC for my win2k client.
> >
> > You can't do PDC stuff with this kind of setup, not until we get a *lot*
> > more Active Directory work done.
> >
> > >    3, You said that samba should support the MIT kerberos. But not at this moment.
> > > Did it support keberos in the older version or not? which version? If it was not
> > > support. I wish I can do something for it.
> > >    Thank you very much for your help.
> > >    John.
> >
> > In a very old version, we used the host keytab.  Now we use our own
> > secrets.tdb file, which we maintain.  This is becouse in an ADS
> > environment, we need to do both NT authentication and Kerberos.
> >
> > Please put questions to the list, so that others may see the replies.
> > CC me if you want me to actually read it however :-)
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett                                 abartlet at pcug.org.au
> > Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
> > Student Network Administrator, Hawker College   abartlet at hawkerc.net
> > http://samba.org     http://build.samba.org     http://hawkerc.net
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list