[Samba] Kerberos and Samba

Gémes Géza geza at kzsdabas.sulinet.hu
Sun Apr 11 07:07:35 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Bartlett írta:
| On Sat, Apr 10, 2004 at 12:09:49PM +0200, Sensei wrote:
|
|>Hi.
|>
|>I've built an afs cell, a kerberos kdc, an openldap server, all
|>kerberized. Now all linux clients can login on the cell using k5
|>authentication, finding informations about their home dirs with ldap.
|>Their home reside on the afs cell, which allows r/w access since it
|>releases a token from the k5 ticket. All macosx clients can login as
|>well... but what about windows? ^___^;;;
|>
|>I've been sent here from a kerberos group, telling me samba could be
|>useful.
|>
|>I'd like to avoid creating windows users on every windows client... and
|>I know I can set up an AD server, creating users on kerberos/afs/ldap
|>AND the same users on AD... quite long...
|>
|>Is samba of any use? Can I grant tickets and tokens via samba, mapping
|>windows home directories on the afs home dir? This information can be
|>retrieved from openldap...
|
|
| Samba cannot use the kerberos tickets directly - not unless the KDC is
| Active Directory (for now).  But it is possible for Samba to use the
| same password store.  (For NTLM, but not kerberos passwords)
|
| What is your KDC?  MIT or Heimdal?  Are you using the Heimdal LDAP
backend?
|
| If you are running Heimdal, what version?  Could you run a current
snapshot?
|
| While the work is still new, there is support in Heimdal to read Samba
| password entries in LDAP.  There is also an OpenLDAP plugin to set
| both Samba and Kerberos passwords on password change.
|
| You would need to manually edit your LDAP database, to expose the
| passwords in 'Samba' format - potentially a dump and restore of the
| Heimdal entries might do it, if the sambaSamAccount objectClass was
| added, and you used a current snapshot.
|
| (The type 23 arcfour-hmac-md5 enctype is the Samba NT password)
|
| Andrew Bartlett

The hdb-ldap.c (Heimdal using NTPassword) changes seems to be integrated
in current Heimdal snapshots.
Where could we find the LDAP password synchronization patch, what
OpenLDAP version does it applies to?

Thanks,

Geza
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAeO62/PxuIn+i1pIRAvt0AJ9jgl3BQMwfg804KbVxZwlanZBC7ACfZdq3
GqIuSOGmrosslTD0BuZ7hVg=
=U9Ef
-----END PGP SIGNATURE-----



More information about the samba mailing list