[Samba] Samba as a PDC with LDAP and Kerberos

Tue Jun 7 01:46:49 GMT 2005

I'm not aware of a way to authenticate via SASL in Samba.

On Mon, 2005-06-06 at 18:38 -0700, Jeff Block wrote:
> I've seen some people using ldap password set as {SASL}USER at REALM
> Is there a way to have samba use sasl for authentication?
> 
> Currently, my kerberos db is synchronizing with sasl so if I can get samba
> and my windows clients to authenticate using sasl, then I don't need to keep
> password hashes in ldap.
> 
> Is this possible?
> 
> Thanks.
> 
> 
> On 6/6/05 6:13 PM, "Ti Leggett" <leggett at ci.uchicago.edu> wrote:
> 
> > Basically a windows client can't authenticate against a Kerberos server
> > *and* get user information out LDAP without using AD. You can
> > authenticate against Kerberos and have local user accounts or you can
> > have user accounts in LDAP and use some other authentication mechanism.
> > The way I'm doing it is storing user's Windows passwords in LDAP as
> > sambaNTPassword and storing *nix/OS X passwords in Kerberos. To get
> > around having different passwords for the different architectures you
> > can write a script that will be the change password script in samba and
> > a replacement for passwd under *nix. This script would add/change the
> > password in both LDAP and Kerberos keeping them synced.
> > 
> > FW is referring to such a perl script using Authen::Krb5,
> > Crypt::SmbHash, and Net::LDAP.
> > 
> > The Kerberos options you see in Samba are only for having Samba
> > authenticate against an AD server.
> > 
> > There are some things in the works for going the other way if you're
> > using Heimdal (see the archive), but I have no experience with Heimdal
> > or this solution.
> > 
> > On Mon, 2005-06-06 at 10:03 -0700, Jeff Block wrote:
> >> I'm a little confused on one section here...  Where are your passwords being
> >> stored?  kerberos?  If so, how does samba look there?  What is the
> >> significance of the {SASL}USER at REALM in LDAP?  Is there another password
> >> store that you are syncing with krb?
> >> 
> >> Sorry for my ignorance here but after hours and hours of trying different
> >> things, I'm unable to use my kerberos backend with samba.
> >> 
> >> Thanks in advance.
> >> 
> >> 
> >> FM Wrote:
> >> 
> >>> Hello,
> >>> My setup :
> >>> Windows stations
> >>> SAMBA3+OPENLDAP 2.2.x +KERBEROS (MIT)
> >>> 
> >>> All users (posix and ldap) are in Openldap.
> >>> All my ldap password are : {SASL}USER at REALM
> >>> I use saslauthd so I can connect to ldap using simplebind with password
> >>> in KERBEROS
> >>> this password CANNOT be changed (denied by the slapd.access.conf file)
> >>> 
> >>> Samba cannot use MIt kerberos for the password so my little trick :
> >>> I create a perl scrip using Authen::Krb5::Admin that use un keytab for
> >>> authentifiaction :krb5_update_pwd.pl
> >>> 
> >>> in the smb.conf :
> >>>    ldap passwd sync = No
> >>>    unix password sync = Yes
> >>>    passwd program = /usr/local/sbin/krb5_update_pwd.pl -u %u
> >>> %n\n *passwd:*all*authentication*tokens*updated*successfully*
> >>>    passwd chat = *Password:* %n\n *Again:* %n\n *Changed*
> >>> 
> >>> So when Windows users change their password(from the change password
> >>> option in Windows), SAMBA called /krb5_update_pwd.pl that also update
> >>> the KERBEROS password.
> >>> 
> >>> Linux users just have to use :
> >>> smbpasswd -r PDC_SERVER
> >>> That command update SAMBA password and again it called
> >>> /krb5_update_pwd.pl to sync the kerberos password
> >>> 
> >>> I know there are some short comings (password policies for example). But
> >>> it's the closer i get :-)
> >>> 
> >>> Hope this can help :-)
> >>> 
> >>> 
> >>> 
> >> Ti Leggett wrote:
> >>> Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP
> >>> backend and use pam_smbpass to keep the passwords sync'd between the
> >>> Kerberos side and the Samba side? That way the Windows clients join the
> >>> domain using only the LDAP information not knowing about the Kerberos
> >>> side of things?
> >>> 
> >>> I just removed the Kerberos information from my Windows client and tried
> >>> only using, as far as I can tell, the LDAP information and the client
> >>> still comes back saying the user name is unknown.
> >>> 
> >>> On Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote:
> >>> 
> >>>> Ok, so I'm just trying to figure out my options here. I can:
> >>>> 
> >>>> - Use local accounts and local passwords
> >>>> - Use Kerberos for authentication, but only with local user accounts
> >>>> - Use a Samba PDC with and LDAP backend for accounts and password if and
> >>>> only if the windows clients are not bound to a Kerberos realm
> >>>> 
> >>>> Is this correct? In the third case, let's say I have a way to sync
> >>>> Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?
> >>>> 
> >>>> Or what am I missing? I know I can't create an AD domain, but I'm not
> >>>> trying to. AD is combination of a lot more than just Kerberos and LDAP.
> >>>> 
> >>>> I'm curios how Apple does what seems to be just this with their
> >>>> OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and
> >>>> Samba 3.0 (at least they claim it's only this).
> >>>> 
> >>>> 
> >>>> On Fri, 2005-04-22 at 18:52 -0500, Franco "Sensei" wrote:
> >>>> 
> >>>>> Ti Leggett wrote:
> >>>>> 
> >>>>>> I've been searching and researching this and I can't seem to find the
> >>>>>> answers I'm looking for. I'd like to setup a Samba PDC that Windows
> >>>>>> clients will join. The PDC will use an LDAP backend to get authorization
> >>>>>> information (username, home directory, etc). The authentication portion
> >>>>>> is handled by an MIT Kerberos KDC. I think I'm  real close to having it
> >>>>>> all together but I'm not sure. I have the Windows client setup to point
> >>>>>> at my KDC so authentication *should* be coming from there once the
> >>>>>> authorization portion is going.
> >>>>> 
> >>>>> Hehehe, it's been a year trying to do that... but no way! I'm sorry to
> >>>>> tell you, but what you want is a replacement of AD... in no way windows
> >>>>> will know about ldap and mit, without an AD domain.
> >>>>> 
> >>>>> 
> >>>>>> So first question is, are sambaLMPassword and sambaNTPassword still
> >>>>>> needed in LDAP for each user?
> >>>>>> 
> >>>>>> Here's the output from ksetup /dumpstate:
> >>>>>> 
> >>>>>> Machine is not configured to log on to an external KDC. Probably a
> >>>>>> workgroup member
> >>>>>> EXAMPLE.COM:
> >>>>>>    kdc = <kdc1 server>
> >>>>>>    kdc = <kdc2 server>
> >>>>>>    kpasswd = <kpasswd server>
> >>>>>>    Realm Flags = 0x0 none
> >>>>>> No user mappings defined.
> >>>>> 
> >>>>> Users must be somewhere to get HKEY_LOCAL* work... and they should be
> >>>>> local users (the MIT-KDC authentication works this way).
> >>>>> 
> >>>>> 
> >>>>>> Second, here's what I have in LDAP so far:
> >>>>>> [...]
> >>>>>> I've done a smbpasswd -w <hidden samba_server password>
> >>>>>> 
> >>>>>> I can do a net getlocalsid and it will get the correct SID out of LDAP.
> >>>>> 
> >>>>> Correct.
> >>>>> 
> >>>>> 
> >>>>>> However, when I try to join my Windows client to the EXAMPLE.COM domain,
> >>>>>> I can see the ldap queries happening, but the Windows client reports an
> >>>>>> invalid username.
> >>>>> 
> >>>>> Yes. Active Directory is not there... and it wants AD. In no way you can
> >>>>> fake AD, even though it's kerberos, ldap and smb + natural-flavours...
> >>>>> 
> >>>> 
> >>>> 
> >>> 
> >> 
> >> 
> > 
> 
> 
> 