[Samba] Kerberos and Samba

[Andrew Bartlett]

On Mon, Apr 12, 2004 at 12:21:41PM +0200, Gémes Géza wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Sensei írta:
> | On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote:
> |
> |
> |>Samba cannot use the kerberos tickets directly - not unless the KDC is
> |>Active Directory (for now).  But it is possible for Samba to use the
> |>same password store.  (For NTLM, but not kerberos passwords)
> |>
> |>What is your KDC?  MIT or Heimdal?  Are you using the Heimdal LDAP
> backend?
> |
> |
> | MIT K5. The passwords are stored only in the kerberos database.
> |
> |
> |>While the work is still new, there is support in Heimdal to read Samba
> |>password entries in LDAP.  There is also an OpenLDAP plugin to set
> |>both Samba and Kerberos passwords on password change.
> |>
> |>You would need to manually edit your LDAP database, to expose the
> |>passwords in 'Samba' format - potentially a dump and restore of the
> |>Heimdal entries might do it, if the sambaSamAccount objectClass was
> |>added, and you used a current snapshot.
> |
> |
> | It would be nice to have just kerberos passwords. I've done this with
> | ldap (sasl gssapi authentication via k5) and afs (tokens are released on
> | ticket releasing).
> |
> | The main issue is the integrated windows login: a student must login,
> | gain tickets and token, and have his windows home dir set to what ldap
> | shows him: this means that afs must be enabled at boot.
> |
> | How would you do this? I don't have any clues...
> |
> I see a different solution here:
> User authenticate to a Samba controled Domain, and because Samba has the
> Kerberos password(=NTPassword hash) it could impersonate the user,
> accting to the AFS/Coda cell on behalf of her/him. In this way Samba
> could become a gateway between Windows clients and AFS/Coda servers.
> Unfortunatelly I don't know how could be that implemented.

See Volker's presentation to SambaXP, and the --with-fake-kaserver
option to Samba.

Andrew Bartlett