[Samba] Kerberos and Samba

Gémes Géza geza at kzsdabas.sulinet.hu
Mon Apr 12 10:21:41 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sensei írta:
| On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote:
|
|
|>Samba cannot use the kerberos tickets directly - not unless the KDC is
|>Active Directory (for now).  But it is possible for Samba to use the
|>same password store.  (For NTLM, but not kerberos passwords)
|>
|>What is your KDC?  MIT or Heimdal?  Are you using the Heimdal LDAP
backend?
|
|
| MIT K5. The passwords are stored only in the kerberos database.
|
|
|>While the work is still new, there is support in Heimdal to read Samba
|>password entries in LDAP.  There is also an OpenLDAP plugin to set
|>both Samba and Kerberos passwords on password change.
|>
|>You would need to manually edit your LDAP database, to expose the
|>passwords in 'Samba' format - potentially a dump and restore of the
|>Heimdal entries might do it, if the sambaSamAccount objectClass was
|>added, and you used a current snapshot.
|
|
| It would be nice to have just kerberos passwords. I've done this with
| ldap (sasl gssapi authentication via k5) and afs (tokens are released on
| ticket releasing).
|
| The main issue is the integrated windows login: a student must login,
| gain tickets and token, and have his windows home dir set to what ldap
| shows him: this means that afs must be enabled at boot.
|
| How would you do this? I don't have any clues...
|
I see a different solution here:
User authenticate to a Samba controled Domain, and because Samba has the
Kerberos password(=NTPassword hash) it could impersonate the user,
accting to the AFS/Coda cell on behalf of her/him. In this way Samba
could become a gateway between Windows clients and AFS/Coda servers.
Unfortunatelly I don't know how could be that implemented.

Cheers,

Geza
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAem21/PxuIn+i1pIRAuJNAKCmFU8Sr+iqN3Vijm1VbepNFXVPvQCfRTLX
AFLmUljvrcCfMfJt4Tmu7RY=
=IAYb
-----END PGP SIGNATURE-----



More information about the samba mailing list