[Samba] Samba authentication to Kerberos via OpenLDAP, third and last try

Fri Apr 4 14:07:24 GMT 2008

On Thu 3 Apr  2008 5:00:36 pm Wes Modes wrote:
> Volker Lendecke wrote:
> > On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote:
> >> The question and the challenge:  Any leads on how I might convince Samba
> >> to pass the input password on to OpenLDAP so that OpenLDAP can
> >> authenticate it against Kerberos?
> >
> > The only chance is that you modify each client's registry to
> > send plain text passwords to the server over the network,
> > downgrading your security to what telnet provided ages ago.
> > You can guess that this is ABSOLUTELY NOT recommended. If
> > you go with standard Windows authentication schemes, the
> > SMB server never sees the user's plain text password which
> > would be required to authenticate against Kerberos.
> >
> > Volker
>
> Yeah, I'm not so keen on sending plaintext passwords anywhere.
>
> It is already moderately-well documented how to connect Samba up to use
> Kerberos authentication.  And my guess is that the Kerberos model would
> not allow passwords to be sent plaintext.  More likely an encrypted hash
> gets passed?  I don't know the precise mechanism, but would like to.
>
> But beyond that, how could one use Samba to pass that encrypted password
> to LDAP to pass on to Kerberos to authenticate?
>

Note: this is from my experience and research, both of which are extensive but 
probably wrong.  I wanted to do a similar thing (poor-man's SSO).

I believe the problem is twofold:

1) The client never actually sends the password.  By default, it sends a 
response to a challenge from the server; the response is based on the 
password.  So the password, in any form, never traverses the network unless 
you explicitly turn on that compatibility model.  Samba can't forward what it 
doesn't have.

2) Using LDAP for authentication is...a hack, to put it bluntly.  Everybody 
does it, but we probably shouldn't.  The problem is that in either 
authentication scenario (bind against LDAP = Good! or query the tree for 
user/pw/group/etc) would require modifications to the LDAP server.  It could 
accept the password, request a certificate and then store the token and 
return the "Correct" answer if the token is good and intentionally return 
an "incorrect" answer if the Kerb auth fails.

Since you can't send passwords in plaintext for obvious reasons, a simple or 
complex way to do this escapes me.  

I assume that you're not doing domain logins.  You could write a web interface 
or quick Java craplet (or a keylogger...) that takes a login from the user 
and captures their password.  Then you can feed that to a process on the LDAP 
server which authenticates against kerberos; if the authentication succeeds, 
you dump the hashed/crypted version of the password into the LDAP directory 
for authentication use later.  

Convoluted, but you could make it work.

Wes