[Samba] What is good about kereberos auth?
José M. Fandiño
samba at fadesa.es
Thu May 5 10:11:48 GMT 2005
Ti Leggett wrote:
>
> The kerberos libraries are linked in for kerberos authentication to a MS
> AD server not for other third party kerberos databases.
ok, from this I deduced that samba only can use a TGS and it isn't able
to get a TGT for transparent Kerberos logins which in part explains why
SSO isn't possible.
Thank you for the explanation, Ti.
> On Wed, 2005-05-04 at 19:45 +0200, José M. Fandiño wrote:
> > "José M. Fandiño" wrote:
> > >
> > > Ti Leggett wrote:
> > > >
> > > > That may be true, but there is another win in this type of environment.
> > > > Separation of your authentication database from your identity management
> > > > database. Regardless of how you authenticate in this scenario, you will
> > >
> > > also there is the opposite school of thought, if you have disconnected
> > > databases it makes management more difficult, i.e. keep passwords synchronized
> > > for different applications.
> > >
> > > > be sending passwords (even encrypted) over the wire. If the passwords
> > > > are in a KDC then at least it's not easy to gain those passwords. If you
> > > > keep your passwords in LDAP, then you need to be very careful about who
> > > > has access to them.
> > >
> > > that is true in an environment with native kerberos authentication, but
> >
> > > in the samba case it isn't applicable because the password is sent to
> > > PAM and this check the password against ldap send it over the wire.
> >
> > well, I'm a bit confused here. For Kerberos auth samba is using
> > native kerberos or pam_krb5?
> >
> > In my test machine smbd is linked with libpam, libkrb5 and libgssapi.
--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a31 C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------
More information about the samba
mailing list