Re: [Samba] OpenLDAP,heimdal kerberos,sasl, wich order?
http://www.math.gatech.edu/~dijuremo/ldap/ However, you can add Kerberos to your existing Samba LDAP server. That is, if you run Heimdal 0.6.1 (or better still a snapshot) you can use your sambaNTpassword as the type 23 encryption key, and have linux/unix/OSX clients use kerberos. Just curious is Heimdal will honor account flags like locked or disabled? And does it update/use the password can/must change attributes (for expiration, etc..)? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] OpenLDAP,heimdal kerberos,sasl, wich order?
On Fri, 2004-04-23 at 20:38, Adam Tauno Williams wrote: http://www.math.gatech.edu/~dijuremo/ldap/ However, you can add Kerberos to your existing Samba LDAP server. That is, if you run Heimdal 0.6.1 (or better still a snapshot) you can use your sambaNTpassword as the type 23 encryption key, and have linux/unix/OSX clients use kerberos. Just curious is Heimdal will honor account flags like locked or disabled? Yes. Not very well, but they are honoured. (I need to look into the mapping a bit more) And does it update/use the password can/must change attributes (for expiration, etc..)? Not at present. What I really want to see is the password policy stuff go into OpenLDAP, and have it set the values for all users. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] OpenLDAP,heimdal kerberos,sasl, wich order?
On Thu, 2004-04-15 at 21:47, Diego Julian Remolina wrote: If you want to see the order on how to compile them and get them to work then look at: http://www.math.gatech.edu/~dijuremo/ldap/ If you have a Native Windows PDC and samba is acting as a secondary then you can have kerberos authentication against the windows PDC kerberos. This is done with a cross-realm authentication trick as I was told by Gerald Carter (one of the developers of samba). Samba 3 does not support kerberos auths without having a Windows PDC with Active Directory. If you do not have a native windows pdc then you need to authenticate against the passwords stored in tdbsam or ldapsam but not on kerberos. See, this is the trick I've been talking about. Technially, Samba can use kerberos without a windows DC, but there are some silly, (and some not quite so silly) reasons why that's not an option right now. However, you can add Kerberos to your existing Samba LDAP server. That is, if you run Heimdal 0.6.1 (or better still a snapshot) you can use your sambaNTpassword as the type 23 encryption key, and have linux/unix/OSX clients use kerberos. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] OpenLDAP,heimdal kerberos,sasl, wich order?
Andrew Bartlett wrote: On Thu, 2004-04-22 at 22:29, Dan Hill wrote: Andrew Bartlett wrote: On Thu, 2004-04-15 at 21:47, Diego Julian Remolina wrote: If you want to see the order on how to compile them and get them to work then look at: http://www.math.gatech.edu/~dijuremo/ldap/ If you have a Native Windows PDC and samba is acting as a secondary then you can have kerberos authentication against the windows PDC kerberos. This is done with a cross-realm authentication trick as I was told by Gerald Carter (one of the developers of samba). Samba 3 does not support kerberos auths without having a Windows PDC with Active Directory. If you do not have a native windows pdc then you need to authenticate against the passwords stored in tdbsam or ldapsam but not on kerberos. See, this is the trick I've been talking about. Technially, Samba can use kerberos without a windows DC, but there are some silly, (and some not quite so silly) reasons why that's not an option right now. However, you can add Kerberos to your existing Samba LDAP server. That is, if you run Heimdal 0.6.1 (or better still a snapshot) you can use your sambaNTpassword as the type 23 encryption key, and have linux/unix/OSX clients use kerberos. Andrew Bartlett Thanks for the link. Is it very difficult to add the Kerberos support after an LDAP Samba PDC/BDC setup has been configured and in production mode? Samba won't know the difference - but the new Heimdal KDC however will operate on exactly the same passwords! You could even do it on a read-only LDAP slave, if you don't intend to change passwords (password changes are probably best done by Samba only at this point). Andrew Bartlett Firstly, sorry about not sending my above message to the list. I guess I hit reply rather than reply-all. Thanks. I will be giving Heimdel a try. ~Dan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] OpenLDAP,heimdal kerberos,sasl, wich order?
If you want to see the order on how to compile them and get them to work then look at: http://www.math.gatech.edu/~dijuremo/ldap/ If you have a Native Windows PDC and samba is acting as a secondary then you can have kerberos authentication against the windows PDC kerberos. This is done with a cross-realm authentication trick as I was told by Gerald Carter (one of the developers of samba). Samba 3 does not support kerberos auths without having a Windows PDC with Active Directory. If you do not have a native windows pdc then you need to authenticate against the passwords stored in tdbsam or ldapsam but not on kerberos. Diego On Wed, 14 Apr 2004, [ISO-8859-1] José Ildefonso Camargo Tolosa wrote: Gémes Géza wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If you have no *NIX clients, then you couldn't yet get any serious benefit from using Kerberos for Windows clients. So in this case I would suggest to build OpenSSL, OpenLDAP, and then Samba. Configure a certificate authority, if you don't want to use a commercially available one. Create certificates for your OpenLDAP server. Configure OpenLDAP. Configure nss_ldap and pam_ldap, to use TLS or SSL connections. Configure Samba, to connect using TLS or SSL to your LDAP server. In this way you can achieve the maximum security from the ldap+samba setup. Cool. I'll try that one to make it start, and have something to begin working with. I have *nix clients. See, what I mean to do is the following (not sure if it can work): + Install a kerberos client on the windows workstations (somebody told me that the win2k and up already have one (probably a non standard one)) and, off course, on the *nix workstations. + Make people autenticate to a KDC. + Using the kerberos ticket, the user should be able to access his/her folders on the samba server, without having to log into the samba again. + The user should be able to login into her/his mail (a pop/imap server) without having to put his/her password again (this one I already know it works). + Be able to use ldap to centralize the users (maybe the ldap as backend to kerberos). + Off course the profiles of mozilla and others would go into the server, thus creating roaming profiles (this is a cosmetic one, first I need the thing working). I'm not sure on how to make this, I have several options, but not sure if it can be done (never seen something like this on the docs): 1. Make samba a kerberos service, so that samba autenticate to the users using the kerberos mechanism: This implies this order: samba - kerberos 5 - ldap (can this actually be done?). (this reads: samba asks kerberos, and kerberos asks ldap). workstation - kerberos 5 - ldap (this is what would happend on the client side). In this one, I'm not sure how the log-in would work, I think that the workstations will not use a domain, and hence would not use the autentication methos provided by samba. 2. The option I have seen in many docs: samba - ldap - sasl - kerberos (not sure how this one works, I guess it is somthing like the ldap is a kerberos service, and users autenticate to samba using the directory, but they doesn't use the kerberos for autentication, this would mean that the SSO (single sign on) would no work?). Any docs, any help is welcome, Thanks for the fast answer, and once again, thanks in advance for any help on this, Sincerely, Ildefonso Camargo [EMAIL PROTECTED] [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] OpenLDAP,heimdal kerberos,sasl, wich order?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 José Ildefonso Camargo Tolosa írta: | Gémes Géza wrote: | | -BEGIN PGP SIGNED MESSAGE- | Hash: SHA1 | | If you have no *NIX clients, then you couldn't yet get any serious | benefit from using Kerberos for Windows clients. | So in this case I would suggest to build OpenSSL, OpenLDAP, and then | Samba. Configure a certificate authority, if you don't want to use a | commercially available one. Create certificates for your OpenLDAP | server. Configure OpenLDAP. Configure nss_ldap and pam_ldap, to use TLS | or SSL connections. Configure Samba, to connect using TLS or SSL to your | LDAP server. In this way you can achieve the maximum security from the | ldap+samba setup. | | | | Cool. I'll try that one to make it start, and have something to begin | working with. | | I have *nix clients. See, what I mean to do is the following (not sure | if it can work): | | + Install a kerberos client on the windows workstations (somebody told | me that the win2k and up already have one (probably a non standard one)) | and, off course, on the *nix workstations. | + Make people autenticate to a KDC. | + Using the kerberos ticket, the user should be able to access his/her | folders on the samba server, without having to log into the samba again. | + The user should be able to login into her/his mail (a pop/imap server) | without having to put his/her password again (this one I already know it | works). | + Be able to use ldap to centralize the users (maybe the ldap as | backend to kerberos). | + Off course the profiles of mozilla and others would go into the | server, thus creating roaming profiles (this is a cosmetic one, first | I need the thing working). | | I'm not sure on how to make this, I have several options, but not sure | if it can be done (never seen something like this on the docs): | | 1. Make samba a kerberos service, so that samba autenticate to the users | using the kerberos mechanism: | | This implies this order: | | samba - kerberos 5 - ldap (can this actually be done?). (this reads: | samba asks kerberos, and kerberos asks ldap). | workstation - kerberos 5 - ldap (this is what would happend on the | client side). | | In this one, I'm not sure how the log-in would work, I think that the | workstations will not use a domain, and hence would not use the | autentication methos provided by samba. | | 2. The option I have seen in many docs: | | samba - ldap - sasl - kerberos (not sure how this one works, I guess | it is somthing like the ldap is a kerberos service, and users | autenticate to samba using the directory, but they doesn't use the | kerberos for autentication, this would mean that the SSO (single sign | on) would no work?). | Currently NO non AD Kerberos server is able to issue kerberos tickets with MSPAC authorization data, which are needed by Win2k and upward Windows clients. So you could get use of a Kerberos server only for *NIX clients. I would recommend the following setup: OpenLDAP Samba with ldapsam backend Current snapshot of Heimdal with ldap database. Configure Heimdal to use the Samba NT Password hashes. And configure SASL, also patch it with the loriket patch. Configure your *NIX clients, to use pam_heimdal and nss_ldap. In this way you would have: *NIX host---AUTH--Heimdal---DATABASE ACCESS-LDAP ~| ^ | ~| | | ~| | | ~| | | ~AUTHORIZATION and ACCOUNT--- | ~ information | ~ | ~ | ~ | Windows host-Samba--- Cheers, Geza -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAfpJ4/PxuIn+i1pIRAiucAJ4yTfCRaP/19yM3k7meudwOyYCZuwCfcfwT ByDAh2jOyn0R3jzuIUDB4OY= =i5eq -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] OpenLDAP,heimdal kerberos,sasl, wich order?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 José Ildefonso Camargo Tolosa írta: | Hi! | | I have been reading for about two weeks (maybe I'm reading on the wrong | places). I have found as many documents as one could expect describind | how to build a LDAPv3 server, or how to build samba with ldap. This | far, I have failed, and have a BIG confution in the order in wich the | things should go: | | In one document, they recommend this: | | samba - ldap - sasl - kerberos (so, the passwords gets stored in the | kerberos database, at least that's what they says, but. does the | samba schema do this in fact? does the samba passwords will be kept in | the kerberos database?, or it just store the passwords in the ldap's | database). | | In other (simplier): | | samba - ldap | and: | kerberos - ldap (thus, storing the kerberos passwords in the ldap | (duh...)). | | All that I'm trying to do is to get a PDC with a directory service, but | I need it to be secure (that's why I'm bothering with kerberos). | Anyway, I would like to know: in wich order should I build the thing?: | | Build orders: | | 1. kerberos, next sasl, next ldap, next samba (configured for samba - | ldap - sasl - kerberos). | 2. ldap, next samba (just samba - ldap, without kerberos password | storing). | | Also, If I use the option 1, should the windows clients use a kerberos | client?, or they just login as usual. Has anybody tested something like | this? | | My system: | | Hardware: | + Athlon XP 1500+, 512Mb RAM (133). | | Software: | + Slackware 9.1 (with kernel 2.6.5), and most recent upgrades of all | packages. | + OpenLDAP 2.2.8 | + kerberos: MIT kerberos 1.3.2 (read somewhere that it has thread | issues, I'm thinking to move to heimdal, any sujestions?), heimdal 0.6.1. | + samba 3.0.2a | + cyrus sasl 2.1.18 | + berkley db 4.2.52 | + open ssl 0.9.7d. | | Thanks in advance for your help, | | Sincerely, | | Ildefonso Camargo | [EMAIL PROTECTED] | If you have no *NIX clients, then you couldn't yet get any serious benefit from using Kerberos for Windows clients. So in this case I would suggest to build OpenSSL, OpenLDAP, and then Samba. Configure a certificate authority, if you don't want to use a commercially available one. Create certificates for your OpenLDAP server. Configure OpenLDAP. Configure nss_ldap and pam_ldap, to use TLS or SSL connections. Configure Samba, to connect using TLS or SSL to your LDAP server. In this way you can achieve the maximum security from the ldap+samba setup. Cheers Geza -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAfX9h/PxuIn+i1pIRApxzAJ9jOQgVFSwrjYtDxMsRpYYxqpljFACfe1y2 9h71XzzfzI9GHBvlEG535x4= =BNeG -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] OpenLDAP,heimdal kerberos,sasl, wich order?
Gémes Géza wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If you have no *NIX clients, then you couldn't yet get any serious benefit from using Kerberos for Windows clients. So in this case I would suggest to build OpenSSL, OpenLDAP, and then Samba. Configure a certificate authority, if you don't want to use a commercially available one. Create certificates for your OpenLDAP server. Configure OpenLDAP. Configure nss_ldap and pam_ldap, to use TLS or SSL connections. Configure Samba, to connect using TLS or SSL to your LDAP server. In this way you can achieve the maximum security from the ldap+samba setup. Cool. I'll try that one to make it start, and have something to begin working with. I have *nix clients. See, what I mean to do is the following (not sure if it can work): + Install a kerberos client on the windows workstations (somebody told me that the win2k and up already have one (probably a non standard one)) and, off course, on the *nix workstations. + Make people autenticate to a KDC. + Using the kerberos ticket, the user should be able to access his/her folders on the samba server, without having to log into the samba again. + The user should be able to login into her/his mail (a pop/imap server) without having to put his/her password again (this one I already know it works). + Be able to use ldap to centralize the users (maybe the ldap as backend to kerberos). + Off course the profiles of mozilla and others would go into the server, thus creating roaming profiles (this is a cosmetic one, first I need the thing working). I'm not sure on how to make this, I have several options, but not sure if it can be done (never seen something like this on the docs): 1. Make samba a kerberos service, so that samba autenticate to the users using the kerberos mechanism: This implies this order: samba - kerberos 5 - ldap (can this actually be done?). (this reads: samba asks kerberos, and kerberos asks ldap). workstation - kerberos 5 - ldap (this is what would happend on the client side). In this one, I'm not sure how the log-in would work, I think that the workstations will not use a domain, and hence would not use the autentication methos provided by samba. 2. The option I have seen in many docs: samba - ldap - sasl - kerberos (not sure how this one works, I guess it is somthing like the ldap is a kerberos service, and users autenticate to samba using the directory, but they doesn't use the kerberos for autentication, this would mean that the SSO (single sign on) would no work?). Any docs, any help is welcome, Thanks for the fast answer, and once again, thanks in advance for any help on this, Sincerely, Ildefonso Camargo [EMAIL PROTECTED] [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba