[Samba] Samba authentication to Kerberos via OpenLDAP, third and last try

Wes Modes wmodes at ucsc.edu
Thu Apr 3 21:00:36 GMT 2008



Volker Lendecke wrote:
> On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote:
>   
>> The question and the challenge:  Any leads on how I might convince Samba 
>> to pass the input password on to OpenLDAP so that OpenLDAP can 
>> authenticate it against Kerberos?
>>     
>
> The only chance is that you modify each client's registry to
> send plain text passwords to the server over the network,
> downgrading your security to what telnet provided ages ago.
> You can guess that this is ABSOLUTELY NOT recommended. If
> you go with standard Windows authentication schemes, the
> SMB server never sees the user's plain text password which
> would be required to authenticate against Kerberos.
>
> Volker
>   
Yeah, I'm not so keen on sending plaintext passwords anywhere. 

It is already moderately-well documented how to connect Samba up to use 
Kerberos authentication.  And my guess is that the Kerberos model would 
not allow passwords to be sent plaintext.  More likely an encrypted hash 
gets passed?  I don't know the precise mechanism, but would like to.

But beyond that, how could one use Samba to pass that encrypted password 
to LDAP to pass on to Kerberos to authenticate?

W.

-- 

Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208


More information about the samba mailing list