Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
On Thu 3 Apr 2008 5:00:36 pm Wes Modes wrote: Volker Lendecke wrote: On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote: The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos? The only chance is that you modify each client's registry to send plain text passwords to the server over the network, downgrading your security to what telnet provided ages ago. You can guess that this is ABSOLUTELY NOT recommended. If you go with standard Windows authentication schemes, the SMB server never sees the user's plain text password which would be required to authenticate against Kerberos. Volker Yeah, I'm not so keen on sending plaintext passwords anywhere. It is already moderately-well documented how to connect Samba up to use Kerberos authentication. And my guess is that the Kerberos model would not allow passwords to be sent plaintext. More likely an encrypted hash gets passed? I don't know the precise mechanism, but would like to. But beyond that, how could one use Samba to pass that encrypted password to LDAP to pass on to Kerberos to authenticate? Note: this is from my experience and research, both of which are extensive but probably wrong. I wanted to do a similar thing (poor-man's SSO). I believe the problem is twofold: 1) The client never actually sends the password. By default, it sends a response to a challenge from the server; the response is based on the password. So the password, in any form, never traverses the network unless you explicitly turn on that compatibility model. Samba can't forward what it doesn't have. 2) Using LDAP for authentication is...a hack, to put it bluntly. Everybody does it, but we probably shouldn't. The problem is that in either authentication scenario (bind against LDAP = Good! or query the tree for user/pw/group/etc) would require modifications to the LDAP server. It could accept the password, request a certificate and then store the token and return the Correct answer if the token is good and intentionally return an incorrect answer if the Kerb auth fails. Since you can't send passwords in plaintext for obvious reasons, a simple or complex way to do this escapes me. I assume that you're not doing domain logins. You could write a web interface or quick Java craplet (or a keylogger...) that takes a login from the user and captures their password. Then you can feed that to a process on the LDAP server which authenticates against kerberos; if the authentication succeeds, you dump the hashed/crypted version of the password into the LDAP directory for authentication use later. Convoluted, but you could make it work. Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote: The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos? The only chance is that you modify each client's registry to send plain text passwords to the server over the network, downgrading your security to what telnet provided ages ago. You can guess that this is ABSOLUTELY NOT recommended. If you go with standard Windows authentication schemes, the SMB server never sees the user's plain text password which would be required to authenticate against Kerberos. Volker pgpSq2xFwlWvo.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
On Thu, Apr 03, 2008 at 02:00:36PM -0700, Wes Modes wrote: It is already moderately-well documented how to connect Samba up to use Kerberos authentication. And my guess is that the Kerberos model would not allow passwords to be sent plaintext. More likely an encrypted hash gets passed? I don't know the precise mechanism, but would like to. http://davenport.sourceforge.net/ntlm.html Enjoy. Volker pgpHv41tjZXZt.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
Volker Lendecke wrote: On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote: The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos? The only chance is that you modify each client's registry to send plain text passwords to the server over the network, downgrading your security to what telnet provided ages ago. You can guess that this is ABSOLUTELY NOT recommended. If you go with standard Windows authentication schemes, the SMB server never sees the user's plain text password which would be required to authenticate against Kerberos. Volker Yeah, I'm not so keen on sending plaintext passwords anywhere. It is already moderately-well documented how to connect Samba up to use Kerberos authentication. And my guess is that the Kerberos model would not allow passwords to be sent plaintext. More likely an encrypted hash gets passed? I don't know the precise mechanism, but would like to. But beyond that, how could one use Samba to pass that encrypted password to LDAP to pass on to Kerberos to authenticate? W. -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
