[Samba] What is good about kereberos auth?

Ti Leggett leggett at ci.uchicago.edu
Wed May 4 14:17:50 GMT 2005

That may be true, but there is another win in this type of environment.
Separation of your authentication database from your identity management
database. Regardless of how you authenticate in this scenario, you will
be sending passwords (even encrypted) over the wire. If the passwords
are in a KDC then at least it's not easy to gain those passwords. If you
keep your passwords in LDAP, then you need to be very careful about who
has access to them.

On Wed, 2005-05-04 at 13:26 +0200, José M. Fandiño wrote:
> Hello Ti,
> Ti Leggett wrote:
> > 
> > There are two main benefits to Kerberos authentication. The first is
> > that in a true Kerberos environment, no password is never sent across
> > the wire. The second, is that you get the holy grail of single sign on.
> > 
> > Your LDAP PDC should be able to make use of Kerberos though not in the
> > true sense. There is Kerberos support in Samba, but as I understand it,
> > it's only for interacting with a Microsoft AD server and not others.
> > What will happen is authentication requests will come to the PDC which
> > will then use the underlying mechanism (a.k.a. PAM) to authenticate a
> > user. This is how I understand it and I'll defer to those more
> > knowledgeable on the list if I'm wrong.
> then...,  there isn't any benefit associated with kerberos in a pure
> samba environment with a ldap(+tsl) backend? 
> I was thinking about SSO and native kerberos logins but from this
> comment I must understand that it ins't possible?
> Thank you.
> -- 
> Version: 3.1
> GCS/IT d- s+:+() a31 C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
> O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
> G++ e- h+(++) !r !z
> ------END GEEK CODE BLOCK------

More information about the samba mailing list