[Samba] Samba authentication to Kerberos via OpenLDAP,
third and last try
wdevie at hrcsb.org
Fri Apr 4 14:07:24 GMT 2008
On Thu 3 Apr 2008 5:00:36 pm Wes Modes wrote:
> Volker Lendecke wrote:
> > On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote:
> >> The question and the challenge: Any leads on how I might convince Samba
> >> to pass the input password on to OpenLDAP so that OpenLDAP can
> >> authenticate it against Kerberos?
> > The only chance is that you modify each client's registry to
> > send plain text passwords to the server over the network,
> > downgrading your security to what telnet provided ages ago.
> > You can guess that this is ABSOLUTELY NOT recommended. If
> > you go with standard Windows authentication schemes, the
> > SMB server never sees the user's plain text password which
> > would be required to authenticate against Kerberos.
> > Volker
> Yeah, I'm not so keen on sending plaintext passwords anywhere.
> It is already moderately-well documented how to connect Samba up to use
> Kerberos authentication. And my guess is that the Kerberos model would
> not allow passwords to be sent plaintext. More likely an encrypted hash
> gets passed? I don't know the precise mechanism, but would like to.
> But beyond that, how could one use Samba to pass that encrypted password
> to LDAP to pass on to Kerberos to authenticate?
Note: this is from my experience and research, both of which are extensive but
probably wrong. I wanted to do a similar thing (poor-man's SSO).
I believe the problem is twofold:
1) The client never actually sends the password. By default, it sends a
response to a challenge from the server; the response is based on the
password. So the password, in any form, never traverses the network unless
you explicitly turn on that compatibility model. Samba can't forward what it
2) Using LDAP for authentication is...a hack, to put it bluntly. Everybody
does it, but we probably shouldn't. The problem is that in either
authentication scenario (bind against LDAP = Good! or query the tree for
user/pw/group/etc) would require modifications to the LDAP server. It could
accept the password, request a certificate and then store the token and
return the "Correct" answer if the token is good and intentionally return
an "incorrect" answer if the Kerb auth fails.
Since you can't send passwords in plaintext for obvious reasons, a simple or
complex way to do this escapes me.
I assume that you're not doing domain logins. You could write a web interface
or quick Java craplet (or a keylogger...) that takes a login from the user
and captures their password. Then you can feed that to a process on the LDAP
server which authenticates against kerberos; if the authentication succeeds,
you dump the hashed/crypted version of the password into the LDAP directory
for authentication use later.
Convoluted, but you could make it work.
More information about the samba