[Samba] Samba authentication to Kerberos via OpenLDAP, third
and last try
Wes Modes
wmodes at ucsc.edu
Thu Apr 3 21:00:36 GMT 2008
Volker Lendecke wrote:
> On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote:
>
>> The question and the challenge: Any leads on how I might convince Samba
>> to pass the input password on to OpenLDAP so that OpenLDAP can
>> authenticate it against Kerberos?
>>
>
> The only chance is that you modify each client's registry to
> send plain text passwords to the server over the network,
> downgrading your security to what telnet provided ages ago.
> You can guess that this is ABSOLUTELY NOT recommended. If
> you go with standard Windows authentication schemes, the
> SMB server never sees the user's plain text password which
> would be required to authenticate against Kerberos.
>
> Volker
>
Yeah, I'm not so keen on sending plaintext passwords anywhere.
It is already moderately-well documented how to connect Samba up to use
Kerberos authentication. And my guess is that the Kerberos model would
not allow passwords to be sent plaintext. More likely an encrypted hash
gets passed? I don't know the precise mechanism, but would like to.
But beyond that, how could one use Samba to pass that encrypted password
to LDAP to pass on to Kerberos to authenticate?
W.
--
Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208
More information about the samba
mailing list