[Samba] Samba + (LDAP + Kerberos V)
Gémes Géza
geza at kzsdabas.sulinet.hu
Wed Oct 20 20:46:36 GMT 2004
Matt Joyce írta:
> Gémes Géza wrote:
>
>> Matt Joyce írta:
>>
>>> So like at least a handful of people before me I have begun the
>>> valiant stugle to unify logins at my place of business.
>>>
>>> I have setup a test LDAP + Kerberos V cluster.
>>>
>>> And I have Setup a test Samba 3 PDC.
>>>
>>> What I would like to do is get Samba to handle kerberos ticket
>>> granting and authentication to the (LDAP + Kerberos V) Directory.
>>> Such that Windows is completely unaware of the existence of
>>> Kerberos. And, also such that I don't have to keep samba domain
>>> passwords in ldap and sync them to kerberos in some sort of bizarre
>>> otherworldly failure in authentication unification.
>>>
>>> (Pardon my attempts at prose I am working on 3 hours of sleep)
>>>
>>> The question is really one of what you might suggest in terms of a
>>> design, particularly if you have tried and/or done this in the past.
>>>
>>> I have heard at least with samba 2 what I am trying is impossible.
>>> Not sure with Samba 3. I am wondering if the Active Directory
>>> support can be employed to my benefit in this manner.
>>>
>>
>> You can read more about it at:
>> https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap
>>
>>
>>> Now, assuming the worst and samba is incapable of handling kerberos
>>> tickets, and assuming i manage to handle tickets in ldap itself....
>>> I can authenticate LDAP Sambe users of Kerberos without having to
>>> keep a synced password db correct?
>>>
>>> -Matt
>>
>>
>>
>> Cheers
>>
>> Geza
>>
> yeah thats almost decent documentation for ldap + kerberos but says
> absolutley nothing about samba 3.
>
>
That's very easy to explain, because if you follow it you will have your
kerberos using the Samba' MD4 password hash, and so all of your *nix and
windows machine will use the same password. However as Samba3 is able to
emulte an NT4 DC, Windows clients don't try, nor are succesfull in using
kerberos against it. So you can have something like in the following
ASCII graphic:
_______________
_______________ ______________
| |
| |
| |
| |---------------------------->| LDAP
|<----------------------------------| Samba |
| |
|_______________| |______________|
| *nix |
^ ^
| client |
_______|_______ ______ |_______
| |
| |
| |
| |---------------------------->| Heimdal
| | Windows |
|______________|
|______________| |
client |
|______________|
Hope this helps to clarify the situation in a pre-Samba4 world.
Cheers,
Geza
More information about the samba
mailing list