[Samba] Kerberos and Samba

Gémes Géza geza at kzsdabas.sulinet.hu
Mon Apr 12 19:23:05 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Bartlett írta:
| On Mon, Apr 12, 2004 at 12:21:41PM +0200, Gémes Géza wrote:
|
|>-----BEGIN PGP SIGNED MESSAGE-----
|>Hash: SHA1
|>
|>Sensei írta:
|>| On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote:
|>|
|>|
|>|>Samba cannot use the kerberos tickets directly - not unless the KDC is
|>|>Active Directory (for now).  But it is possible for Samba to use the
|>|>same password store.  (For NTLM, but not kerberos passwords)
|>|>
|>|>What is your KDC?  MIT or Heimdal?  Are you using the Heimdal LDAP
|>backend?
|>|
|>|
|>| MIT K5. The passwords are stored only in the kerberos database.
|>|
|>|
|>|>While the work is still new, there is support in Heimdal to read Samba
|>|>password entries in LDAP.  There is also an OpenLDAP plugin to set
|>|>both Samba and Kerberos passwords on password change.
|>|>
|>|>You would need to manually edit your LDAP database, to expose the
|>|>passwords in 'Samba' format - potentially a dump and restore of the
|>|>Heimdal entries might do it, if the sambaSamAccount objectClass was
|>|>added, and you used a current snapshot.
|>|
|>|
|>| It would be nice to have just kerberos passwords. I've done this with
|>| ldap (sasl gssapi authentication via k5) and afs (tokens are released on
|>| ticket releasing).
|>|
|>| The main issue is the integrated windows login: a student must login,
|>| gain tickets and token, and have his windows home dir set to what ldap
|>| shows him: this means that afs must be enabled at boot.
|>|
|>| How would you do this? I don't have any clues...
|>|
|>I see a different solution here:
|>User authenticate to a Samba controled Domain, and because Samba has the
|>Kerberos password(=NTPassword hash) it could impersonate the user,
|>accting to the AFS/Coda cell on behalf of her/him. In this way Samba
|>could become a gateway between Windows clients and AFS/Coda servers.
|>Unfortunatelly I don't know how could be that implemented.
|
|
| See Volker's presentation to SambaXP, and the --with-fake-kaserver
| option to Samba.
|

Sorry for beeing so tenace on this (maybe unimportant) subject. But this
is what I've understand about what fake-kaserver does:

___________		_____________		 _____________
|	  |		|	    |		 |	     |
| Windows |--Kerberos-->|   Samba   |----------->|    AFS    |
| client  |	auth	|   server  |		 |    cel    |
|_________|		|___________|		 |___________|
~     ^
~     |
~     |
~     |
~     |
~     |
_____Ç______
|	   |
|    AD	   |
|  server  |
|__________|

But what I was thinking about would be:

___________		_____________		 _____________
|	  |		|	    |		 |   Coda    |
| Windows |----NTLM---->|   Samba   |----------->|    or     |
| client  |	auth	|    PDC    |		 |    AFS    |
|_________|		|_LDAP back_|		 |____cel____|
			      ^
			      |
			      | getting ticket
			      | for
			      | Kerberos unaware clients
			______Ç______
			|	    |
			|  Heimdal  |
			|  current  |
			|_LDAP back_|

Thanks,

Geza
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAeuyY/PxuIn+i1pIRAqqkAJ4wt0jdJc+VXOZVUdW4N8WS9LFSXACgno2o
3Qpph07Ktocc5Y8bAJ7tjGk=
=xsxF
-----END PGP SIGNATURE-----



More information about the samba mailing list