[Samba] Samba LDAP kerberos tickets problem
Hi, I am using Samba to join AD.But have a problem with version 3.4.7 which not meet in version 3.2.5. Here is my steps: in version 3.2.5 1. set smb.conf and krb5.conf the realm to test.com; in smb.conf set use kerberos keytab = true 2. net ads join -U Administrator%Password createupn=t...@test.com createcomputer="Computers" 3. net ads keytab create The three steps will have no error and all successfully, the use klist, the ldap/ds1.test@test.com ticket will available in the output. But in version 3.4.7 1. set smb.conf and krb5.conf the realm to test.com; in smb.conf kerberos method = system keytab 2. net ads join -U Administrator%Password createupn=t...@test.com createcomputer="Computers" 3. net ads keytab create Step 1 and Step 2 will successfully. But when I run step 3, it ask me to input root's password, the did not happen when using version 3.2.5. Then I have to use net ads keytab create -U Administrator%Password to make it running successfully, but after this when I use klist, the ldap/ds1.test@test.com ticket does not exist. So what happens and how can I make it like the version 3.2.5 ? When I try to use net -k ads keytab create, the exit value will be -1 and when I add debug information, the error will be : ads_krb5_mk_req: krb5_get_credentials failed ( ldap/ds1.test@test.com) ( Cannot find ticket for requested realm) Can anyone help me ? Thanks very much in advance ! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba, ldap, kerberos
samba-requ...@lists.samba.org wrote: Subject: Re: [Samba] samba, ldap, kerberos From: Natxo Asenjo Date: Mon, 15 Feb 2010 09:42:18 +0100 To: Samba Mail List To: Samba Mail List On Mon, Feb 15, 2010 at 7:27 AM, Pramathesh Ambasta wrote: Though I am not new to samba, I am new to this so will really appreciate guidance. If I want to implement a single sign on scheme using openldap and kerberos on a linux server, how can samba be integrated into this scheme? As far as I can understand from the docs, the discussions on samba and kerberos deal with samba integration into an active directory domain. Does that mean that what I am talking about cannot be done? take a look at samba 4. Check the installation instructions on the wiki: wiki.samba.org. As they state, it is not production ready (yet) but I find it quite stable. natxo THanks for your response Pramathesh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba, ldap, kerberos
On Mon, Feb 15, 2010 at 7:27 AM, Pramathesh Ambasta wrote: > Though I am not new to samba, I am new to this so will really appreciate > guidance. If I want to implement a single sign on scheme using openldap and > kerberos on a linux server, how can samba be integrated into this scheme? As > far as I can understand from the docs, the discussions on samba and kerberos > deal with samba integration into an active directory domain. Does that mean > that what I am talking about cannot be done? take a look at samba 4. Check the installation instructions on the wiki: wiki.samba.org. As they state, it is not production ready (yet) but I find it quite stable. natxo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba, ldap, kerberos
Though I am not new to samba, I am new to this so will really appreciate guidance. If I want to implement a single sign on scheme using openldap and kerberos on a linux server, how can samba be integrated into this scheme? As far as I can understand from the docs, the discussions on samba and kerberos deal with samba integration into an active directory domain. Does that mean that what I am talking about cannot be done? Grateful for help Pramathesh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba - LDAP - Kerberos
On Thu, 2007-04-05 at 14:35 +0200, Jörg Herzinger wrote: > > Like Kerberos, Samba needs the password-equivilant values, or some other > > process that will perform the same calculations on them (like a DC for a > > member server). There isn't any way around that. Interestingly Heimdal > > 0.8 includes code to do this in the KDC (we don't have a client for this > > yet, but it is a very interesting move). > > > Andrew Bartlett > > Ok, I see the problem now. Since i am in a small network sending unencrypted > passwords would'nt be a problem and when samba has the cleartext password > authenticating via PAM or anything else should'nt be a problem, right? You can't do domain logons with plaintext passwords, and it is far less stable, even for normal operations (with windows clients, after apply the registry patch). Just don't do it. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba - LDAP - Kerberos
> Like Kerberos, Samba needs the password-equivilant values, or some other > process that will perform the same calculations on them (like a DC for a > member server). There isn't any way around that. Interestingly Heimdal > 0.8 includes code to do this in the KDC (we don't have a client for this > yet, but it is a very interesting move). > Andrew Bartlett Ok, I see the problem now. Since i am in a small network sending unencrypted passwords would'nt be a problem and when samba has the cleartext password authenticating via PAM or anything else should'nt be a problem, right? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba - LDAP - Kerberos
On Wed, 2007-04-04 at 15:18 +0200, Jörg Herzinger wrote: > > The other option is the smbk5pwd module for openldap, and setting 'ldap > > password sync = yes'. I've not used it > myself, but I'm told it works. > > Hmm, thanks, but this module is just a dirty trick in my eyes and it > works just for Heimdal Kerberos but I use MIT-Kerberos. I almost can't > believe that samba supports no other way of authenticating local users > than its own database. Like Kerberos, Samba needs the password-equivilant values, or some other process that will perform the same calculations on them (like a DC for a member server). There isn't any way around that. Interestingly Heimdal 0.8 includes code to do this in the KDC (we don't have a client for this yet, but it is a very interesting move). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba - LDAP - Kerberos
> The other option is the smbk5pwd module for openldap, and setting 'ldap > password sync = yes'. I've not used it > myself, but I'm told it works. Hmm, thanks, but this module is just a dirty trick in my eyes and it works just for Heimdal Kerberos but I use MIT-Kerberos. I almost can't believe that samba supports no other way of authenticating local users than its own database. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba - LDAP - Kerberos
On Tue, 2007-04-03 at 21:47 -0400, Sean Elble wrote: > On 4/3/07 1:20 PM, "Jörg Herzinger" <[EMAIL PROTECTED]> wrote: > > > Hello. I'm trying to implement a single-sign-on system with MIT-Kerberos and > > OpenLDAP. These two are currently working pretty well, but now I'm trying to > > add samba to this system. I've found a lot of tutorials about samba PDC with > > LDAP backend, but this is of course not quite what I want. My passwords are > > stored in the kerberos database and userdata is stored in LDAP. > > Is there a way to authenticate samba through LDAP/Kerberos? Or is it maybe > > possible to authenticate samba through PAM? > > > > It's an idea a lot of people want to implement, but sadly, it is not > possible for Samba to use a Kerberos password database, at least not while > using encrypted passwords. The reason being is that, when Samba uses > encrypted passwords, it has no access to the password itself, only the > hashed representation. In addition, the encryption hash, if you will, that > Windows uses is nothing like the encryption hash used by Kerberos. This is a > bit of a simplification, but it is how I understand it. This is incorrect. Heimdal can use Samba's password database as a backend, because the sambaNTPassword is what Microsoft made the arcfour-hmac-md5 kerberos key out of. > I have achieved a sort of single-sign-on environment by using Samba's > password script functionality to change both the Samba password (stored in a > LDAP backend) and the Kerberos password at the same time. My particular > setup involves Samba running on the same machine as the KDC daemon, which > allows me to use these Samba parameters in smb.conf: > > unix password sync = yes > passwd program = /usr/kerberos/sbin/kadmin.local -q 'cpw %u' > passwd chat = "Authenticating as principal*"\n"Enter password for > principal *"%u"*:*" %n\n \n"Re-enter password for principal *"%u"*:*" %n\n > \n"Password for *"%u"@* changed."\n > > This probably would not be the best setup in an enterprise environment, but > at my in-home "lab" where I play with this kind of stuff, it works just > fine, as long as my "users" remember to change their passwords via Windows > (i.e. Not your typical passwd/kpasswd programs). Hope that helps . . . The other option is the smbk5pwd module for openldap, and setting 'ldap password sync = yes'. I've not used it myself, but I'm told it works. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: Re: [Samba] Samba - LDAP - Kerberos
I already thought that this is not possible. Is there no other way of authenticating samba? PAM, SASL, ANYTHING. I mean, I like samba, but in terms of user authentication it really isn't flexible. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba - LDAP - Kerberos
On 4/3/07 1:20 PM, "Jörg Herzinger" <[EMAIL PROTECTED]> wrote: > Hello. I'm trying to implement a single-sign-on system with MIT-Kerberos and > OpenLDAP. These two are currently working pretty well, but now I'm trying to > add samba to this system. I've found a lot of tutorials about samba PDC with > LDAP backend, but this is of course not quite what I want. My passwords are > stored in the kerberos database and userdata is stored in LDAP. > Is there a way to authenticate samba through LDAP/Kerberos? Or is it maybe > possible to authenticate samba through PAM? > It's an idea a lot of people want to implement, but sadly, it is not possible for Samba to use a Kerberos password database, at least not while using encrypted passwords. The reason being is that, when Samba uses encrypted passwords, it has no access to the password itself, only the hashed representation. In addition, the encryption hash, if you will, that Windows uses is nothing like the encryption hash used by Kerberos. This is a bit of a simplification, but it is how I understand it. I have achieved a sort of single-sign-on environment by using Samba's password script functionality to change both the Samba password (stored in a LDAP backend) and the Kerberos password at the same time. My particular setup involves Samba running on the same machine as the KDC daemon, which allows me to use these Samba parameters in smb.conf: unix password sync = yes passwd program = /usr/kerberos/sbin/kadmin.local -q 'cpw %u' passwd chat = "Authenticating as principal*"\n"Enter password for principal *"%u"*:*" %n\n \n"Re-enter password for principal *"%u"*:*" %n\n \n"Password for *"%u"@* changed."\n This probably would not be the best setup in an enterprise environment, but at my in-home "lab" where I play with this kind of stuff, it works just fine, as long as my "users" remember to change their passwords via Windows (i.e. Not your typical passwd/kpasswd programs). Hope that helps . . . > tia, > Bowser -- +-+ | Sean Elble | | Virginia Tech, Class of 2008 | | Vice President, VTLUUG | | E-Mail: [EMAIL PROTECTED]| | Web: http://www.sessys.com/~elbles/ | +-+ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba - LDAP - Kerberos
Hello. I'm trying to implement a single-sign-on system with MIT-Kerberos and OpenLDAP. These two are currently working pretty well, but now I'm trying to add samba to this system. I've found a lot of tutorials about samba PDC with LDAP backend, but this is of course not quite what I want. My passwords are stored in the kerberos database and userdata is stored in LDAP. Is there a way to authenticate samba through LDAP/Kerberos? Or is it maybe possible to authenticate samba through PAM? tia, Bowser -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP + ¿Kerberos?
PS - If you find my advice helpful, in lieu of lunch, I would accept entry into Washinton U's doctoral Computer Science & Engineering program with a nice stipend. ;) Sorry - just noticed your e-mail address and since I'm interested in grad studies, I couldn't resist. :) Good luck with Samba/Kerberos! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP + ¿Kerberos?
To answer my own question. Howard Chu, on the fedora-directory-users list, answered a slightly different version of the same query from me and I think has put me out of my misery :) https://www.redhat.com/archives/fedora-directory-users/2006-December/msg00165.html Now, my University has recently implemented an enterprise AD sign-on infrastructure that I could conceivable use for Samba Windows clients (via one-way trust) but I'm not sure where that would leave Linux / OS X machines. ('Course if I make all of *them* Samba clients) Jim Jim Hogan wrote: Michael, All, I have been going back through the Samba archives looking to see if a Samba+LDAP+Kerberos configuration is possible given my situation. Mostly I see posts that say "You can't get there from here.", but I don't want to give up too easily. My situation is this: I have a new Samba 3.x domain with LDAP back end (using Fedora Directory Server) and this stores user accounts for my university department (about 300) and groups. For UID this Samba domain uses the unique ID employed by the university. The university employs a very mature SSO infrastructure that includes Kerberos. I would like my Samba domain to use university Kerberos realm for authentication (SSO) while I retain control over authorization and departmental users/groups/shares. We have a mix of Windows, Macs and Linux, so a generalizable Kerberos authentication has even more appeal. I have seen Samba How-To docs on using client Kerberos in AD environment with examples of smb.conf entries for this. The Fedora Directory Server Wiki has a fairly straightforward entry on how to use FDS with Kerberos: http://directory.fedora.redhat.com/wiki/Howto:Kerberos What I am not seeing is a way to combine the two -- configure Samba clients as kerberos client but which then presents kerberos credential to Samba backend (LDAP) to satisfy authentication. I can't find it, but I saw one article that seemed to suggest storing Kerberos credentials in LDAP NTPasswd field -- made it seem like LDAP/Samba server would act like proxy for Samba client PCs -- but I am having a hard time seeing how you could avoid having all client PCs act as Kerberos clients. Like I say, I see some "not possible" replies, but some of them are pretty dated. I also see some replies (like this one from 2004: http://lists.samba.org/archive/samba/2004-April/084387.html ) which propose some slightly different ways of achieving similar ends, but not quite what I want to accomplish. Obviously, if anybody has already implemented the type of solution I lay out, I would buy them lunch (real or virtual) if they would share the details. Alternatively if anybody can authoritatively spell out why this just won't work, then I guess I can move on to the "grieving" stage :) If there is a grey area here, some opportunity to experiment, well, I'm game. Thanks! Jim Michael Schurter wrote: Asier Baranguán wrote: Hi! Perhaps this is not the appropiate list, but I need some advices. I have a working Samba PDC with a LDAP backend over a secure TLS connection, with W2000 and XP clients. I've readed in a lot of places that Kerberos is a very nice thing to have in the setup but I cannot see why. I know the foundations of kerberos but I can't see how much "value" will add to the setup. I'm missing something? please, help. Windows clients (as well as properly configured UNIX clients) will use Kerberos to authenticate against your PDC and between one another. The advantage Kerberos has is that it allows single sign on: 2 clients both authenticate once against the PDC, and then they can use their kerberos tickets to authenticate one another as well (without having to manually login with usernames and passwords again). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP + ¿Kerberos?
Michael, All, I have been going back through the Samba archives looking to see if a Samba+LDAP+Kerberos configuration is possible given my situation. Mostly I see posts that say "You can't get there from here.", but I don't want to give up too easily. My situation is this: I have a new Samba 3.x domain with LDAP back end (using Fedora Directory Server) and this stores user accounts for my university department (about 300) and groups. For UID this Samba domain uses the unique ID employed by the university. The university employs a very mature SSO infrastructure that includes Kerberos. I would like my Samba domain to use university Kerberos realm for authentication (SSO) while I retain control over authorization and departmental users/groups/shares. We have a mix of Windows, Macs and Linux, so a generalizable Kerberos authentication has even more appeal. I have seen Samba How-To docs on using client Kerberos in AD environment with examples of smb.conf entries for this. The Fedora Directory Server Wiki has a fairly straightforward entry on how to use FDS with Kerberos: http://directory.fedora.redhat.com/wiki/Howto:Kerberos What I am not seeing is a way to combine the two -- configure Samba clients as kerberos client but which then presents kerberos credential to Samba backend (LDAP) to satisfy authentication. I can't find it, but I saw one article that seemed to suggest storing Kerberos credentials in LDAP NTPasswd field -- made it seem like LDAP/Samba server would act like proxy for Samba client PCs -- but I am having a hard time seeing how you could avoid having all client PCs act as Kerberos clients. Like I say, I see some "not possible" replies, but some of them are pretty dated. I also see some replies (like this one from 2004: http://lists.samba.org/archive/samba/2004-April/084387.html ) which propose some slightly different ways of achieving similar ends, but not quite what I want to accomplish. Obviously, if anybody has already implemented the type of solution I lay out, I would buy them lunch (real or virtual) if they would share the details. Alternatively if anybody can authoritatively spell out why this just won't work, then I guess I can move on to the "grieving" stage :) If there is a grey area here, some opportunity to experiment, well, I'm game. Thanks! Jim Michael Schurter wrote: Asier Baranguán wrote: Hi! Perhaps this is not the appropiate list, but I need some advices. I have a working Samba PDC with a LDAP backend over a secure TLS connection, with W2000 and XP clients. I've readed in a lot of places that Kerberos is a very nice thing to have in the setup but I cannot see why. I know the foundations of kerberos but I can't see how much "value" will add to the setup. I'm missing something? please, help. Windows clients (as well as properly configured UNIX clients) will use Kerberos to authenticate against your PDC and between one another. The advantage Kerberos has is that it allows single sign on: 2 clients both authenticate once against the PDC, and then they can use their kerberos tickets to authenticate one another as well (without having to manually login with usernames and passwords again). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP + ¿Kerberos?
Asier Baranguán wrote: Hi! Perhaps this is not the appropiate list, but I need some advices. I have a working Samba PDC with a LDAP backend over a secure TLS connection, with W2000 and XP clients. I've readed in a lot of places that Kerberos is a very nice thing to have in the setup but I cannot see why. I know the foundations of kerberos but I can't see how much "value" will add to the setup. I'm missing something? please, help. Windows clients (as well as properly configured UNIX clients) will use Kerberos to authenticate against your PDC and between one another. The advantage Kerberos has is that it allows single sign on: 2 clients both authenticate once against the PDC, and then they can use their kerberos tickets to authenticate one another as well (without having to manually login with usernames and passwords again). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + LDAP + ¿Kerberos?
Hi! Perhaps this is not the appropiate list, but I need some advices. I have a working Samba PDC with a LDAP backend over a secure TLS connection, with W2000 and XP clients. I've readed in a lot of places that Kerberos is a very nice thing to have in the setup but I cannot see why. I know the foundations of kerberos but I can't see how much "value" will add to the setup. I'm missing something? please, help. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + (LDAP + Kerberos V)
Andrew Bartlett Ãrta: On Thu, 2004-10-21 at 06:46, GÃmes GÃza wrote: Matt Joyce Ãrta: That's very easy to explain, because if you follow it you will have your kerberos using the Samba' MD4 password hash, and so all of your *nix and windows machine will use the same password. However as Samba3 is able to emulte an NT4 DC, Windows clients don't try, nor are succesfull in using kerberos against it. So you can have something like in the following ASCII graphic: Care to un-line wrap that and put it into the Wiki? Andrew Bartlett Attached is a reworked version. Looks right in vi, kwrite, gedit. Geza -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + (LDAP + Kerberos V)
Hi, > >> > >> You can read more about it at: > >> https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap > >> I would be very happy for any input and suggestions to the howto. Tarjei > >> > >>> Now, assuming the worst and samba is incapable of handling kerberos > >>> tickets, and assuming i manage to handle tickets in ldap itself > >>> I can authenticate LDAP Sambe users of Kerberos without having to > >>> keep a synced password db correct? > >>> > >>> -Matt > >> > >> > >> > >> Cheers > >> > >> Geza > >> > > yeah thats almost decent documentation for ldap + kerberos but says > > absolutley nothing about samba 3. > > > > > That's very easy to explain, because if you follow it you will have your > kerberos using the Samba' MD4 password hash, and so all of your *nix and > windows machine will use the same password. However as Samba3 is able to > emulte an NT4 DC, Windows clients don't try, nor are succesfull in using > kerberos against it. So you can have something like in the following > ASCII graphic: > ___ > ___ __ > | | > | | > | | > | |>| LDAP > |<--|Samba | > | | > |___| |__| > | *nix| > ^ ^ > | client | > ___|___ __ |___ > | | > | | > | | > | |>|Heimdal > | | Windows | > |__| > |__| | > client | > > > > |__| > > Hope this helps to clarify the situation in a pre-Samba4 world. > > Cheers, > > Geza > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > Mob: 920 63 413 -- A Mathematician is a machine for turning coffee into theorems. - Paul Erdös -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + (LDAP + Kerberos V)
On Thu, 2004-10-21 at 06:46, GÃmes GÃza wrote: > Matt Joyce Ãrta: > That's very easy to explain, because if you follow it you will have your > kerberos using the Samba' MD4 password hash, and so all of your *nix and > windows machine will use the same password. However as Samba3 is able to > emulte an NT4 DC, Windows clients don't try, nor are succesfull in using > kerberos against it. So you can have something like in the following > ASCII graphic: Care to un-line wrap that and put it into the Wiki? Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Authentication Developer, Samba Teamhttp://samba.org Student Network Administrator, Hawker College [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + (LDAP + Kerberos V)
Matt Joyce írta: Gémes Géza wrote: Matt Joyce írta: So like at least a handful of people before me I have begun the valiant stugle to unify logins at my place of business. I have setup a test LDAP + Kerberos V cluster. And I have Setup a test Samba 3 PDC. What I would like to do is get Samba to handle kerberos ticket granting and authentication to the (LDAP + Kerberos V) Directory. Such that Windows is completely unaware of the existence of Kerberos. And, also such that I don't have to keep samba domain passwords in ldap and sync them to kerberos in some sort of bizarre otherworldly failure in authentication unification. (Pardon my attempts at prose I am working on 3 hours of sleep) The question is really one of what you might suggest in terms of a design, particularly if you have tried and/or done this in the past. I have heard at least with samba 2 what I am trying is impossible. Not sure with Samba 3. I am wondering if the Active Directory support can be employed to my benefit in this manner. You can read more about it at: https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap Now, assuming the worst and samba is incapable of handling kerberos tickets, and assuming i manage to handle tickets in ldap itself I can authenticate LDAP Sambe users of Kerberos without having to keep a synced password db correct? -Matt Cheers Geza yeah thats almost decent documentation for ldap + kerberos but says absolutley nothing about samba 3. That's very easy to explain, because if you follow it you will have your kerberos using the Samba' MD4 password hash, and so all of your *nix and windows machine will use the same password. However as Samba3 is able to emulte an NT4 DC, Windows clients don't try, nor are succesfull in using kerberos against it. So you can have something like in the following ASCII graphic: ___ ___ __ | | | | | | | |>| LDAP |<--|Samba | | | |___| |__| | *nix| ^ ^ | client | ___|___ __ |___ | | | | | | | |>|Heimdal | | Windows | |__| |__| | client | |__| Hope this helps to clarify the situation in a pre-Samba4 world. Cheers, Geza -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + (LDAP + Kerberos V)
Matt Joyce írta: So like at least a handful of people before me I have begun the valiant stugle to unify logins at my place of business. I have setup a test LDAP + Kerberos V cluster. And I have Setup a test Samba 3 PDC. What I would like to do is get Samba to handle kerberos ticket granting and authentication to the (LDAP + Kerberos V) Directory. Such that Windows is completely unaware of the existence of Kerberos. And, also such that I don't have to keep samba domain passwords in ldap and sync them to kerberos in some sort of bizarre otherworldly failure in authentication unification. (Pardon my attempts at prose I am working on 3 hours of sleep) The question is really one of what you might suggest in terms of a design, particularly if you have tried and/or done this in the past. I have heard at least with samba 2 what I am trying is impossible. Not sure with Samba 3. I am wondering if the Active Directory support can be employed to my benefit in this manner. You can read more about it at: https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap Now, assuming the worst and samba is incapable of handling kerberos tickets, and assuming i manage to handle tickets in ldap itself I can authenticate LDAP Sambe users of Kerberos without having to keep a synced password db correct? -Matt Cheers Geza -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + (LDAP + Kerberos V)
So like at least a handful of people before me I have begun the valiant stugle to unify logins at my place of business. I have setup a test LDAP + Kerberos V cluster. And I have Setup a test Samba 3 PDC. What I would like to do is get Samba to handle kerberos ticket granting and authentication to the (LDAP + Kerberos V) Directory. Such that Windows is completely unaware of the existence of Kerberos. And, also such that I don't have to keep samba domain passwords in ldap and sync them to kerberos in some sort of bizarre otherworldly failure in authentication unification. (Pardon my attempts at prose I am working on 3 hours of sleep) The question is really one of what you might suggest in terms of a design, particularly if you have tried and/or done this in the past. I have heard at least with samba 2 what I am trying is impossible. Not sure with Samba 3. I am wondering if the Active Directory support can be employed to my benefit in this manner. Now, assuming the worst and samba is incapable of handling kerberos tickets, and assuming i manage to handle tickets in ldap itself I can authenticate LDAP Sambe users of Kerberos without having to keep a synced password db correct? -Matt -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + LDAP + Kerberos
I have been working on getting the three of these to work together and I think that they are. (Mostly) Anyway the real question is: Is there a way to setup samba and the ldap scripts that are distributed with Samba so that they don't use a plain text password? Maybe I'm just too paranoid, but the idea of putting the rootdn password in the slapd.conf and the smbldap_conf.pm seems a bit too risky. Thanks, Doug -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba