[Samba] samba,ldap and kerberos

Gémes Géza geza at kzsdabas.sulinet.hu
Sun Mar 21 12:33:12 GMT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Bartlett írta:

| On Sun, 2004-03-21 at 22:43, Gémes Géza wrote:
|
|>-----BEGIN PGP SIGNED MESSAGE-----
|>Hash: SHA1
|>
|>Andrew Bartlett írta:
|>| On Fri, 2004-03-19 at 09:19, aarumuga arumugam wrote:
|>|
|>|>Hi Everybody,
|>|>                We are integrating samba,kerberos and ldap
|>|>samba-3.0.2a
|>|>sun kerberos
|>|>sun ldap
|>|>all the three servers are on three different solaris machines.
|>|
|>|
|>| In an unfortunate twist, Samba's kerberos support is *only* available
|>| against active directory.  Even if you have somehow convinced your
|>| windows client to talk kerberos against a unix KDC, Samba will only join
|>| AD.
|>
|>OK that's understandable, but recently you have made some (Loriket)
|>patches to Heimdal, and using them together with Heimdal's LDAP backend,
|>would it be possible, to fool Samba into thinking that it joined AD, or
|>Samba requires tickets containing MS PAC?
|
|
| The heimdal patches were a different thing - in that case Samba is not
| actually using Kerberos at all (but it is part of my plan to allow it).
|
| As to looking like AD, there is much more to AD than LDAP+kerberos.  But
| that does not stop us making a good stab at making LDAP+Kerberos viable
| for unix clients, which we have some control over...
|

OK, sorry for my quite confusing reply, what I was really interested in
is if Samba as an AD client would use the information contained in MS
PAC, or after getting the ticket would do an LDAP lookup, to get the
authorization(SIDS)/account(HomeDrive,etc) informations?
In the later case a correctly configured Heimdal/LDAP could simulate an
AD (except MSRPC calls) for Samba (but not Windows :-( )

Thanks,

Geza

P.S.
My question could be reformulated: what is needed to have a UNIX AD (!)
signs where work has to be done?
- -LDAP with multimaster(!) replication
- -Kerberos with LDAP backend, with NTLM hashes (Loriket) and MSPAC(!)
- -DNS with LDAP backend, and Kerberos authenticated updates(!)
- -DHCP server
- -NTP server
- -New MSRPC calls in Samba(!)
- -Anything else?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAXYuI/PxuIn+i1pIRAks6AJ9QwPTftDD5qkggLAtU0hLh2RER9wCgtvbK
b49LhXjyhmr0hGW0q68vadE=
=GIPG
-----END PGP SIGNATURE-----

More information about the samba mailing list