[Samba] Kerberos and Samba

Andrew Bartlett abartlet at samba.org
Mon Apr 12 20:30:30 GMT 2004 

On Mon, Apr 12, 2004 at 09:23:05PM +0200, Gémes Géza wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andrew Bartlett írta:
> | On Mon, Apr 12, 2004 at 12:21:41PM +0200, Gémes Géza wrote:
> |
> |>-----BEGIN PGP SIGNED MESSAGE-----
> |>Hash: SHA1
> |>
> |>Sensei írta:
> |>| On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote:
> |>|
> |>|
> |>|>Samba cannot use the kerberos tickets directly - not unless the KDC is
> |>|>Active Directory (for now).  But it is possible for Samba to use the
> |>|>same password store.  (For NTLM, but not kerberos passwords)
> |>|>
> |>|>What is your KDC?  MIT or Heimdal?  Are you using the Heimdal LDAP
> |>backend?
> |>|
> |>|
> |>| MIT K5. The passwords are stored only in the kerberos database.
> |>|
> |>|
> |>|>While the work is still new, there is support in Heimdal to read Samba
> |>|>password entries in LDAP.  There is also an OpenLDAP plugin to set
> |>|>both Samba and Kerberos passwords on password change.
> |>|>
> |>|>You would need to manually edit your LDAP database, to expose the
> |>|>passwords in 'Samba' format - potentially a dump and restore of the
> |>|>Heimdal entries might do it, if the sambaSamAccount objectClass was
> |>|>added, and you used a current snapshot.
> |>|
> |>|
> |>| It would be nice to have just kerberos passwords. I've done this with
> |>| ldap (sasl gssapi authentication via k5) and afs (tokens are released on
> |>| ticket releasing).
> |>|
> |>| The main issue is the integrated windows login: a student must login,
> |>| gain tickets and token, and have his windows home dir set to what ldap
> |>| shows him: this means that afs must be enabled at boot.
> |>|
> |>| How would you do this? I don't have any clues...
> |>|
> |>I see a different solution here:
> |>User authenticate to a Samba controled Domain, and because Samba has the
> |>Kerberos password(=NTPassword hash) it could impersonate the user,
> |>accting to the AFS/Coda cell on behalf of her/him. In this way Samba
> |>could become a gateway between Windows clients and AFS/Coda servers.
> |>Unfortunatelly I don't know how could be that implemented.
> |
> |
> | See Volker's presentation to SambaXP, and the --with-fake-kaserver
> | option to Samba.
> |
> 
> Sorry for beeing so tenace on this (maybe unimportant) subject. But this
> is what I've understand about what fake-kaserver does:
> 
> ___________		_____________		 _____________
> |	  |		|	    |		 |	     |
> | Windows |--Kerberos-->|   Samba   |----------->|    AFS    |
> | client  |	auth	|   server  |		 |    cel    |
> |_________|		|___________|		 |___________|
> ~     ^
> ~     |
> ~     |
> ~     |
> ~     |
> ~     |
> _____Ç______
> |	   |
> |    AD	   |
> |  server  |
> |__________|

No.  This is the ideal world that would not require a cludge as large
as --fake-kaserver.  (In thoery, a proxied/impersonation ticket would work)

> But what I was thinking about would be:
> 
> ___________		_____________		 _____________
> |	  |		|	    |		 |   Coda    |
> | Windows |----NTLM---->|   Samba   |----------->|    or     |
> | client  |	auth	|    PDC    |		 |    AFS    |
> |_________|		|_LDAP back_|		 |____cel____|
> 			      ^
> 			      |
> 			      | getting ticket
> 			      | for
> 			      | Kerberos unaware clients
> 			______Ç______
> 			|	    |
> 			|  Heimdal  |
> 			|  current  |
> 			|_LDAP back_|
> 

This is what the fake-kaserver does, except that it does not need to
access the user's passwords, it only needs to access the AFS server's
password (and can spoof tickets from there).

Ask volker for the fine details.

Andrew Bartlett

More information about the samba mailing list