[Samba] What is good about kereberos auth?

Ti Leggett leggett at ci.uchicago.edu
Wed May 4 18:08:25 GMT 2005


The kerberos libraries are linked in for kerberos authentication to a MS
AD server not for other third party kerberos databases.

On Wed, 2005-05-04 at 19:45 +0200, José M. Fandiño wrote:
> "José M. Fandiño" wrote:
> > 
> > Ti Leggett wrote:
> > >
> > > That may be true, but there is another win in this type of environment.
> > > Separation of your authentication database from your identity management
> > > database. Regardless of how you authenticate in this scenario, you will
> > 
> > also there is the opposite school of thought, if you have disconnected
> > databases it makes management more difficult, i.e. keep passwords synchronized
> > for different applications.
> > 
> > > be sending passwords (even encrypted) over the wire. If the passwords
> > > are in a KDC then at least it's not easy to gain those passwords. If you
> > > keep your passwords in LDAP, then you need to be very careful about who
> > > has access to them.
> > 
> >  that is true in an environment with native kerberos authentication, but
> 
> > in the samba case it isn't applicable because the password is sent to
> > PAM and this check the password against ldap send it over the wire.
> 
> well, I'm a bit confused here. For Kerberos auth samba is using
> native kerberos or pam_krb5?
> 
> In my test machine smbd is linked with libpam, libkrb5 and libgssapi.
> 
> # ldd /usr/sbin/smbd
>         libldap.so.2 => /usr/lib/libldap.so.2 (0x4001a000)
>         liblber.so.2 => /usr/lib/liblber.so.2 (0x40048000)
>         libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40055000)
>         libcrypt.so.1 => /lib/libcrypt.so.1 (0x40129000)
>         libresolv.so.2 => /lib/libresolv.so.2 (0x4015a000)
>         libcups.so.2 => /usr/lib/libcups.so.2 (0x4016b000)
>         libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x40185000)
>         libnsl.so.1 => /lib/libnsl.so.1 (0x401b4000)
>         libpam.so.0 => /lib/libpam.so.0 (0x401c9000)
>         libattr.so.1 => /lib/libattr.so.1 (0x401d1000)
>         libacl.so.1 => /lib/libacl.so.1 (0x401d6000)
>         libdl.so.2 => /lib/libdl.so.2 (0x401dc000)
>         libpopt.so.0 => /usr/lib/libpopt.so.0 (0x401df000)
>         libc.so.6 => /lib/i686/libc.so.6 (0x401e5000)
>         libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40303000)
>         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
>         libdb-4.0.so => /usr/lib/libdb-4.0.so (0x40316000)
>         libgssapi.so.1 => /usr/lib/libgssapi.so.1 (0x403bc000)
>         libkrb5.so.17 => /usr/lib/libkrb5.so.17 (0x403c8000)
>         libasn1.so.5 => /usr/lib/libasn1.so.5 (0x40400000)
>         libroken.so.9 => /usr/lib/libroken.so.9 (0x40422000)
>         libcom_err.so.1 => /usr/lib/libcom_err.so.1 (0x40434000)
>         libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40437000)
> 
> 
> > > On Wed, 2005-05-04 at 13:26 +0200, José M. Fandiño wrote:
> > > > Hello Ti,
> > > >
> > > > Ti Leggett wrote:
> > > > >
> > > > > There are two main benefits to Kerberos authentication. The first is
> > > > > that in a true Kerberos environment, no password is never sent across
> > > > > the wire. The second, is that you get the holy grail of single sign on.
> > > > >
> > > > > Your LDAP PDC should be able to make use of Kerberos though not in the
> > > > > true sense. There is Kerberos support in Samba, but as I understand it,
> > > > > it's only for interacting with a Microsoft AD server and not others.
> > > > > What will happen is authentication requests will come to the PDC which
> > > > > will then use the underlying mechanism (a.k.a. PAM) to authenticate a
> > > > > user. This is how I understand it and I'll defer to those more
> > > > > knowledgeable on the list if I'm wrong.
> > > >
> > > > then...,  there isn't any benefit associated with kerberos in a pure
> > > > samba environment with a ldap(+tsl) backend?
> > > >
> > > > I was thinking about SSO and native kerberos logins but from this
> > > > comment I must understand that it ins't possible?
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba



More information about the samba mailing list