[Samba] Setting up ADS in Samba with MIT kerberos mapping/backend

Udo Rader udo.rader at bestsolution.at
Wed Mar 19 13:54:04 GMT 2008 

On Wed, 2008-03-19 at 08:43 -0500, Pat Riehecky wrote:
> Don't use NFS.  It is trivial to compromise the security of NFS - you
> simply need root on something, set your IP and su as needed.  If the
> tactic is not clear poke me off list.  NFS is never the answer outside
> of the data center.


Huh? NFS has and strong security support (including kerberos) since
2000, so what are you talking about?


> On Wed, 2008-03-19 at 08:23 -0400, James Pulver wrote:
> > Speaking to the kinit, maybe there's a free file manager for windows
> > that would interop with MIT Leash for passing the ticket to samba?
> I'm
> > able to get putty and WinSCP for instance to work with the Network
> > Identity Manager...
> > 
> > I'm debating dropping samba, and trying again for either a different
> > file system (AFS or NFS on windows) or having to switch around to
> using
> > AD as central authentication (which I'd rather not do).
> > --
> > James Pulver
> > Information Technology Area Supervisor
> > LEPP Computer Group
> > Cornell University
> > 
> > 
> > 
> > Steve Harper wrote:
> > > We here at the University of Utah have a similar setup that we
> are 
> > > trying to get work.  We have set up a cross-realm trust between
> our MIT 
> > > Kerberos server and our Windows AD Domain, and all the user
> accounts 
> > > altSecurityIdentities map the AD users to our MIT style kerberos
> realm. 
> > >   AD passwords are set to long random strings.
> > > 
> > > So far we have followed the guide below on the Samba wiki, with
> some 
> > > success but there are a few things that still do not work.
> > > 
> > > http://wiki.samba.org/index.php/Samba_%26_Active_Directory
> > > 
> > > On linux and mac workstations we can map shares on our samba
> server once 
> > > we have done a kinit against our kerberos realm.
> > > 
> > > kinit username at UTAH.EDU
> > > smbclient \\sambaserver.utah.edu\SHARENAME -k
> > > 
> > > Smb shares initiated from the GUI on the Mac work ok on the Tiger 
> > > release of Mac OS X, but seem to fail on Leopard.
> > > 
> > > Other than that, it all works fine on these clients.
> > > 
> > > The problem is with the windows workstations.  Workstations that
> are 
> > > members of the domain can logon with their MIT passwords,
> specifying the 
> > > kerberos realm in the GINA.  Once there they can seamlessly map
> drives 
> > > iff they specify their (usually set to garbage) local AD
> passwords.  All 
> > > other permutations to let the samba or windows server know that we
> want 
> > > to use our cross-realm trust credentials have been unsucessful
> thus far. 
> > >  Ideally we would like to be able to map drives to these shares
> from 
> > > windows machines that are not even members of our AD domain.
> > > 
> > > A new option I saw that I have not had time to try out yet for
> the 
> > > smb.conf is
> > > use kerberos keytab = yes
> > > 
> > > This might help the clients to succeed, or it might be useful in
> getting 
> > > Samba to attempt to authenticate users directly against our MIT
> Kerberos 
> > > server.  I've still got a lot of reading and experimenting to do
> to see 
> > > if we can pull this together.  Hopefully somebody else on this
> list has 
> > > already fought such a battle and emerged triumphant.  But in
> perusing 
> > > the list archives for a few hours I have yet to see something like
> this.
> > > 
> > > Thanks,
> > > Steve Harper
> > > Center for High Performance Computing
> > > University of Utah.
> > > 
> > > James Pulver wrote:
> > >> So, I'm trying to figure out how to get Samba to work in this
> way. 
> > >> Specifically, I have a 2003 R2 AD in 2003 functional level. All
> user 
> > >> accounts are mapped to the same user account name @ our MIT
> Kerberos 
> > >> server. Users do not know their AD password.
> > >>
> > >> Can Samba authenticate users with their Kerberos realm passwords,
> and 
> > >> know to use the same user name so the UIDs match for both
> platforms + 
> > >> permissions?
> > >>
> > >> If it can, what should the smb.conf look like?
> > >> -- 
> > >> James Pulver
> > >> Information Technology Area Supervisor
> > >> LEPP Computer Group
> > >> Cornell University
> > >>
> > 

-- 
Udo Rader

bestsolution.at EDV Systemhaus GmbH
http://www.bestsolution.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20080319/85215dd1/attachment.bin

More information about the samba mailing list