[Samba] Re: Samba and Kerberos PDC(MIT or SEAM, without microsoft ADS)

[Yongjun Rong]

Hi, Andrew,
   Thank you very much. I have read some information about the samba PDC kerberos 
authentication as below.

>> Anyone worked with a combination of Samba (TNG, or 2.x) running as a PDC for
>> a network of primarily NT workstations, with the passwords being
>> authenticated back into a Kerberos IV database? or a Kerberos V?
>
>> I'm trying to get this working so that I don't have to work with NT user
>> accounts at my site, as I've got access to usernames and passwords through
>> Kerberos.
>
>If all you wanted was SMB sessions authenticated against Kerberos, that
>wouldn't be too hard of a problem (although doing it Right might be another
>matter).  But since you say you want this Samba machine to be a PDC, the
>problem becomes much more difficult.
>
>When a workstation authenticates to a PDC, it takes the password from the
>user, encrypts it in NTLM format, and sends this (more or less securely) to
>the server.  The server compares it with the NTLM-encrypted form of the
>password that it has.
>
>Kerberos, on the other hand, can be used for authentication in basically two
>ways; one way (the preferred way for security) is third-party authentication
>against the KDC.  Since this would require sending a Kerberos ticket across in
>the SMB authentication sequence, it's pretty much out of the question, unless
>you're prepared to modify the SMB support on all of your NT workstations.  The
>other way to authenticate against a Kerberos database, the method used by PAM
>modules and the like, is to pass the plaintext password to the server, and let
>the server check if it can decrypt a TGT (ticket-granting-ticket) for the
>user with the password it was given.
>
>The problem then is, how do you get the cleartext password to the server?  If
>you aren't using domain security, it can be done by turning on the cleartext
>password option in your client registry; but with domain security, all you'll
>ever get is the NTLM hash.
>
>One option would be to use the NTLM hash as the key for encrypting user
>tickets, instead of the plaintext password; but if your Kerberos database is
>used for other things, then this isn't feasible either.
>
>If you really need this to work, then you have three options...
>
>1) back off the NT domain support, and do plaintext password authentication
>against the Samba server (which will then authenticate against the KDC).  This
>will cost you the security of the NT domain model.
>
>2) use NTLM hashes in your KDC instead of plaintext passwords.  This will cost
>you interoperability with existing Unix programs deployed on your network.
>
>3) upgrade all of your NT workstations to Win2k.  God knows what /that/ will
>cost you, and I'm not sure this would even work with Samba at this point.
>

   Can we get the NTLM hash from the windows client when the User login to the Samba 
PDC? And then in the samba ,  can we use the NTLM hash to simulate the kerberos 
tickets for the user and do the kerberos authentication for the user?
  Thank you very much.
  John
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
---- Original Message ----
From:		Andrew Bartlett
Date:		Mon 10/28/02 17:24
To:		Yongjun Rong
Cc:		abartlet at samba.org
Subject:	Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS)

Yongjun Rong wrote:
> 
> Hi, Andrew,
>    This is John from Texas Tech University.I have read your reply about samba and
> kerberos. May I ask you some question about samba and Kerberos.
>    1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris)
> as the authentication services and store samba user and passwd in the kerberos
> database directly but not using OpenLDAP?

If you can get the clients to send you a kerberos login without using
ADS, then the modification is realitivly simple, and is part of the work
towards an Active Directory replacement.

>    2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS.
> Where can start to change the source to enable the support for MIT or SEAM in
> solaris? How can I do it? I have download the source of samba3.0alpha20. And I also
> have configure the samba as a PDC for my win2k client.

You can't do PDC stuff with this kind of setup, not until we get a *lot*
more Active Directory work done.

>    3, You said that samba should support the MIT kerberos. But not at this moment.
> Did it support keberos in the older version or not? which version? If it was not
> support. I wish I can do something for it.
>    Thank you very much for your help.
>    John.

In a very old version, we used the host keytab.  Now we use our own
secrets.tdb file, which we maintain.  This is becouse in an ADS
environment, we need to do both NT authentication and Kerberos.

Please put questions to the list, so that others may see the replies. 
CC me if you want me to actually read it however :-)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net