[Samba] What is good about kereberos auth?

Ti Leggett leggett at ci.uchicago.edu
Wed May 4 18:12:17 GMT 2005


On Wed, 2005-05-04 at 19:17 +0200, José M. Fandiño wrote:
> Ti Leggett wrote:
> > 
> > That may be true, but there is another win in this type of environment.
> > Separation of your authentication database from your identity management
> > database. Regardless of how you authenticate in this scenario, you will
> 
> also there is the opposite school of thought, if you have disconnected 
> databases it makes management more difficult, i.e. keep passwords synchronized
> for different applications.

Security and ease of use are usually at odds with each other. However,
I've found that the overhead here is negligible.

> > be sending passwords (even encrypted) over the wire. If the passwords
> > are in a KDC then at least it's not easy to gain those passwords. If you
> > keep your passwords in LDAP, then you need to be very careful about who
> > has access to them.
> 
>  that is true in an environment with native kerberos authentication, but 
> in the samba case it isn't applicable because the password is sent to 
> PAM and this check the password against ldap send it over the wire.

Not true. The directory is generally made available to everyone and in
fact some things *must* be readable by everyone for authorization to
happen. If your passwords are in the directory you must take great care
that your ACLs and who has access to what are properly defined. This can
be a bit of a pain in itself. Note that this is not just a problem for
passwords but any other sensitive data you may be storing in the
directory.


> > On Wed, 2005-05-04 at 13:26 +0200, José M. Fandiño wrote:
> > > Hello Ti,
> > >
> > > Ti Leggett wrote:
> > > >
> > > > There are two main benefits to Kerberos authentication. The first is
> > > > that in a true Kerberos environment, no password is never sent across
> > > > the wire. The second, is that you get the holy grail of single sign on.
> > > >
> > > > Your LDAP PDC should be able to make use of Kerberos though not in the
> > > > true sense. There is Kerberos support in Samba, but as I understand it,
> > > > it's only for interacting with a Microsoft AD server and not others.
> > > > What will happen is authentication requests will come to the PDC which
> > > > will then use the underlying mechanism (a.k.a. PAM) to authenticate a
> > > > user. This is how I understand it and I'll defer to those more
> > > > knowledgeable on the list if I'm wrong.
> > >
> > > then...,  there isn't any benefit associated with kerberos in a pure
> > > samba environment with a ldap(+tsl) backend?
> > >
> > > I was thinking about SSO and native kerberos logins but from this
> > > comment I must understand that it ins't possible?
> 
> -- 
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GCS/IT d- s+:+() a31 C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
> O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
> G++ e- h+(++) !r !z
> ------END GEEK CODE BLOCK------



More information about the samba mailing list