[Samba] Samba+Kerberos

[Andrew Bartlett]

Helge Bahmann wrote:
> 
> >       Since Kerberos is a password storage only, and you are going to need
> > other things, such as user uid/rid, homedir, etc., I recommend to go for
> > Samba+LDAP (look for Samba PDC HOWTO on google).
> 
> Yes, sure; what I currently have:
> - Kerberos as authentication service for Unix clients; Win2k clients "sort
> of" working as well
> - LDAP as directory service, basically just as a NIS replacement; of
> course I can add required fields to the user objects for Samba
> - NFS to serve files for Unix clients
> 
> what I would like to have is to use Samba to serve files to the windows
> client, but have the windows clients use Kerberos to authenticate against
> the Samba server using the Kerberos tickets obtained during login (instead
> of something smbpasswd-like, be it stored as a flat file or kept in ldap)
> 
> > Then you can set up
> > OpenLDAP to utilize Kerberos as a password backend. See
> > http://www.bayour.com/LDAPv3-HOWTO.html for details.
> 
> Sure, but as far as I understand this only covers kerberos-authenticated
> access to the ldap server (which I am interested in as well, but not at
> the moment); it does not explain what I need to do to make samba accept
> the Win2k kerberos tickets
> 
> Please correct me if I am wrong or unclear, I am not sure there may be
> something fundamentally wrong in my understanding of the interaction of
> the pieces.

Yes, this should work - but it won't at the moment.  The problem is that
Samba no longer consults the /etc/krb5.keytab - it keeps the password in
secrets.tdb and 'fakes up' the keytab on the fly.  The is becouse the
windows clients are rather messy with how they do their kerberos.  (and
the fact that we need to have the password for other parts of the
prototcol).

As such, it should be possible to modify Samba to use /etc/krb5.keytab
again, but you need to watch mirriad of different ways cleients address
us. 

However, what I assume you really want is AD support.  There is good
news and bad news on that :-).  IBM recently put some interns in their
'Extreme Blue' program into this area - constructing an AD compatible
server on Unix, using things like OpenLDAP and Samba.  Many parts of the
work are already in the samba.org tree.  (and other part of the work are
a long way off - like getting sane interactions with Kerberos...)

We are *very* interested in getting more people working on this area -
it's really isn't that hard, but we really need to get some basics
togeather before people will try and adopt it.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net