[Samba] Changing password in PDC using a pre-hashed value
emond.papegaaij at topicus.nl
Tue Nov 25 12:17:35 MST 2014
Sorry for sending my previous mail directly to you, I keep on having trouble
with GMail and mailing lists.
On Tuesday, November 25, 2014 04:18:04 PM you wrote:
> On 25/11/14 16:08, Emond Papegaaij wrote:
> > I've read some articles about Kerberos, and do have some questions
> > about it. From what I've read, Kerberos requires the client to be part
> > of the domain and the client application needs to support the
> > authentication scheme. Both are not possible in our case. For example:
> > I need to perform maintenance on a server, but only have my smartphone
> > (android or ios). I now need to somehow connect to the server using
> > RDP on my phone, but my phone is not in the domain, nor has the client
> > support for Kerberos. Another client that does not seem to support
> > Kerberos is Chrome, the browser used by most coworkers, especially
> > when running Ubuntu. Can I authenticate against a Kerberos service
> > from my Ubuntu laptop without installing and configuring kinit?
> Oh come on, you cannot be serious, you cannot expect to properly
> administrate *any* server from a smartphone. =-O
I expect to be able to administrate any server on any system at any time. This
quote from Wikipedia explains our problem quite nicely:
"Kerberos requires user accounts, user clients and the services on the server
to all have a trusted relationship to the Kerberos token server (All must be
in the same Kerberos domain or in domains that have a trust relationship
between each other). Kerberos cannot be used in scenarios where users want to
connect to services from unknown/untrusted clients as in a typical Internet or
cloud computer scenario, where the authentication provider typically does not
have knowledge about the users client system."
This one requirement eliminates Kerberos for us. We do not require our
employees to join a domain, nor do I want to. Also, setting up trusted domains
on several sites is simply a no-go. It's not what we want nor what we need.
> > Did I misunderstand Kerberos, or is this how it works?
> Yes you have misunderstood Kerberos and yes it is how it works.
Even though terminology I use might not be entirely correct, I think I've got
the big picture of the Kerberos protocol quite right. It's not going to solve
our problem. At the moment, we've got two options left: Perhaps
https://wiki.samba.org/index.php/Samba_%26_LDAP might help us. Our second
option is storing the passwords using symmetrical encryption but letting the
user store the key.
More information about the samba