[Samba] What is good about kereberos auth?

Ti Leggett leggett at ci.uchicago.edu
Thu May 5 13:56:56 GMT 2005


No problem, now let's just hope I'm right in my explanation ;)

On Thu, 2005-05-05 at 12:11 +0200, José M. Fandiño wrote:
> Ti Leggett wrote:
> > 
> > The kerberos libraries are linked in for kerberos authentication to a MS
> > AD server not for other third party kerberos databases.
> 
> ok, from this I deduced that samba only can use a TGS and it isn't able
> to get a TGT for transparent Kerberos logins which in part explains why 
> SSO isn't possible.
> 
> Thank you for the explanation, Ti.
> 
> > On Wed, 2005-05-04 at 19:45 +0200, José M. Fandiño wrote:
> > > "José M. Fandiño" wrote:
> > > >
> > > > Ti Leggett wrote:
> > > > >
> > > > > That may be true, but there is another win in this type of environment.
> > > > > Separation of your authentication database from your identity management
> > > > > database. Regardless of how you authenticate in this scenario, you will
> > > >
> > > > also there is the opposite school of thought, if you have disconnected
> > > > databases it makes management more difficult, i.e. keep passwords synchronized
> > > > for different applications.
> > > >
> > > > > be sending passwords (even encrypted) over the wire. If the passwords
> > > > > are in a KDC then at least it's not easy to gain those passwords. If you
> > > > > keep your passwords in LDAP, then you need to be very careful about who
> > > > > has access to them.
> > > >
> > > >  that is true in an environment with native kerberos authentication, but
> > >
> > > > in the samba case it isn't applicable because the password is sent to
> > > > PAM and this check the password against ldap send it over the wire.
> > >
> > > well, I'm a bit confused here. For Kerberos auth samba is using
> > > native kerberos or pam_krb5?
> > >
> > > In my test machine smbd is linked with libpam, libkrb5 and libgssapi.
> 
> -- 
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GCS/IT d- s+:+() a31 C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
> O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
> G++ e- h+(++) !r !z
> ------END GEEK CODE BLOCK------



More information about the samba mailing list