[Samba] Kerberos auth without NTLM

ww m-pubsyssamba pubsyssamba at bbc.co.uk
Wed Mar 24 16:55:54 GMT 2004

On Mon, 2004-03-22 at 23:46, ww m-pubsyssamba wrote:
> Can anyone tell me if I can configure Samba 3.x to rely only on Kerberos authentication (in an AD domain)?
> Ideally I'd like to use local UNIX accounts, not winbind, and negate the need for me to add an entry to passdb, then the
> account must exist in AD and locally on each Samba member server for authentication to work.
> If there is any info held in passdb, other than the NTLM coded password, which must exist for Samba to work then I'd 
> like to either enter an unusable password or disable NTLM authentication completely. Reason for my second request 
> is if I am forced to have users in passdb I don't want to have to worry about the data being world readable from a 
> security perspective.

I meant to talk to you earlier about this.  It is quite OK to have a
system that does not use winbind, and you can still use all the
authentication mechanisms.  

You can set 'security=domain' and even 'security=ads' without winbind. 

You can also run winbindd (which helps security=domain's performance)
without winbind in nsswitch.

Andrew Bartlett

Hi Andrew,

	thanks for your reply, but I have a problem with your suggestion. 
This is a revised description of my problem (having re-checked how things are working), I would like
UNIX users and groups to be visible to Windows clients for the purposes of permissioning data with
windows explorer. I believe to do this I must run "smbpasswd -a user password" for each user on each
Samba member server, or run once on one Samba server with a LDAP passdb backend. If I store the data
in LDAP I have to concern myself with securing the data as access to read or modify the NTLM password
in passdb is a security hole (Unless I can disable NTLM completely).

Firstly let me clarify what I have setup, my requirement is for multiple Samba 3.x member servers
in an AD domain. So in my test environment I have a server with "security=ads" successfully joined
to an AD domain, main problem is at the moment winbind and Solaris NSS won't talk properly (I'm
discussing this with PADL who contributed this code) so I cannot use winbind to define local UNIX
users and groups. Instead I have UNIX users & groups in /etc/groups & /etc/passwd. Without doing
any further configuration this gives me Kerberos access to the Samba server from SMB clients (although
my previous mail was based in part on the mistaken belief that the account must exist in passdb before
even Kerberos authentication would work).
That's fine as I now have a working member server, but from a Window client I cannot assign permissions
to any of the local users or groups. ie if you right click a file or folder on a client to the Samba
server and browse to the Samba server to graphically select users and groups to grant permissions to
only the default users and groups are visible:

Authenticated Users

in order to see users in this list I have to first run "smbpasswd -a user password" and in order to see
groups in the list I have to "net groupmap ntgroup=groupname unixgroup=groupname". I am more than happy
to automate the process of "smbpasswd -a ..." etc but this does then allow access to Samba by the
password held in the passdb backend. What would be great is if I could disable NTLM authentication for
the whole server. That way I can store the passdb in LDAP without having to implement SSL (unless
someone would like to correct me this seems to be a painful process relying on either manually
installing self signed certificate files or the implementation of a robust certificate server infrastructure). So I wouldn't need to worry about the security of the passdb user password field.

Or another option, should I run an automated "smbpasswd -a ..." script on every Samba member server
using a file based passdb backend? Does it matter if I have multiple Samba member servers in a domain
with their own local passdb? I believe there is a RID value stored in passdb, does this need to be the
same across multiple Samba member servers?

If I use winbind I can permission data to groups in my AD domain from a windows client, but because I
don't have winbind listed in nsswitch.conf these are permissioned against UID's and GID's which are
unknown to the UNIX OS so this is not useful to me.

Maybe I'm not going about this in the best/easiest way or don't fully understand all the available
options, so your opinion would be appreciated,

		thanks in advance, Andy.

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically
If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

More information about the samba mailing list