On Tue, 2007-04-03 at 21:47 -0400, Sean Elble wrote: > On 4/3/07 1:20 PM, "Jörg Herzinger" <[EMAIL PROTECTED]> wrote: > > > Hello. I'm trying to implement a single-sign-on system with MIT-Kerberos and > > OpenLDAP. These two are currently working pretty well, but now I'm trying to > > add samba to this system. I've found a lot of tutorials about samba PDC with > > LDAP backend, but this is of course not quite what I want. My passwords are > > stored in the kerberos database and userdata is stored in LDAP. > > Is there a way to authenticate samba through LDAP/Kerberos? Or is it maybe > > possible to authenticate samba through PAM? > > > > It's an idea a lot of people want to implement, but sadly, it is not > possible for Samba to use a Kerberos password database, at least not while > using encrypted passwords. The reason being is that, when Samba uses > encrypted passwords, it has no access to the password itself, only the > hashed representation. In addition, the encryption hash, if you will, that > Windows uses is nothing like the encryption hash used by Kerberos. This is a > bit of a simplification, but it is how I understand it.
This is incorrect. Heimdal can use Samba's password database as a backend, because the sambaNTPassword is what Microsoft made the arcfour-hmac-md5 kerberos key out of. > I have achieved a sort of single-sign-on environment by using Samba's > password script functionality to change both the Samba password (stored in a > LDAP backend) and the Kerberos password at the same time. My particular > setup involves Samba running on the same machine as the KDC daemon, which > allows me to use these Samba parameters in smb.conf: > > unix password sync = yes > passwd program = /usr/kerberos/sbin/kadmin.local -q 'cpw %u' > passwd chat = "Authenticating as principal*"\n"Enter password for > principal *"%u"*:*" %n\n \n"Re-enter password for principal *"%u"*:*" %n\n > \n"Password for *"%u"@* changed."\n > > This probably would not be the best setup in an enterprise environment, but > at my in-home "lab" where I play with this kind of stuff, it works just > fine, as long as my "users" remember to change their passwords via Windows > (i.e. Not your typical passwd/kpasswd programs). Hope that helps . . . The other option is the smbk5pwd module for openldap, and setting 'ldap password sync = yes'. I've not used it myself, but I'm told it works. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba