Re: [Samba] Samba to Kerberos via OpenLDAP
On Fri, 2008-03-07 at 15:26 -0800, Wes Modes wrote: > First, I'll just say this is a question principally about the arcane > mysteries of Samba to OpenLDAP authentication. > > I've had Samba to OpenLDAP authentication running for a while now using > the samba.schema and the ldapsam module. Now I'd like to understand a > bit more about how that works in order to take it a step further and get > openLDAP to bind against a Kerberos database via SASL. > > An aside; Yes, I'd heard that Samba can be configured to authenticate > against Kerberos directly, but for my own reasons, I'd prefer that Samba > talk only to OpenLDAP, and OpenLDAP can do the authentication. I'll > fall back on the Samba to Kerberos direct route if I can't find a way to > do what I want. > > I've noted that the Samba schema and smbldap-tools add to the user > record two Samba specific password fields, sambaNTPassword and > sambaLMPassword. > > If I have the ldapsam module specified as the passdb backend in > smb.conf, is OpenLDAP merely storing the samba passwords while Samba > does the password comparisons? Or does OpenLDAP do the authentication > and return a yes or no? > > Is it possible to have Samba defer authentication to OpenLDAP? If so, I > can have OpenLDAP use the {SASL} method to do authentication via kerberos. Not to achieve what you want, due to the reality of NTLM authentication, Samba cannot defer authentication to anything else, aside from a windows or Samba domain. (The only way to get what you want would be for your KDC to actually handle the NTLM challenge and response for Samba. Heimdal has code to do this, but nobody has written a Samba auth module to do it). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba to Kerberos via OpenLDAP
> Look this howto about Kerberized OpenLDAP, Samba PDC and Squid: > http://eduardosachs.org/mediawiki/index.php?title=Heimdal_Kerberos_%2B_Samba_PDC_%2B_OpenLDAP_%2B_Squid_no_Debian_Etch > But, it's only portuguese :( There are numerous howtos and documents about this; it gives you a directory service enabled network that gives you *BOTH* Kerberos and NT4 domain authentication. But it doesn't make Windows use Kerberos, Windows will only use domain authentication. > > talk only to OpenLDAP, and OpenLDAP can do the authentication. I'll > > fall back on the Samba to Kerberos direct route if I can't find a > > way to do what I want. You can't. > > I've noted that the Samba schema and smbldap-tools add to the user > > record two Samba specific password fields, sambaNTPassword and > > sambaLMPassword. > > If I have the ldapsam module specified as the passdb backend in > > smb.conf, is OpenLDAP merely storing the samba passwords while Samba > > does the password comparisons? Or does OpenLDAP do the > > authentication and return a yes or no? No. Samba does the authenticaiton using OpenLDAP as a credential and identity store. > > Is it possible to have Samba defer authentication to OpenLDAP? If > > so, I can have OpenLDAP use the {SASL} method to do authentication > > via kerberos. You can make OpenLDAP use Kerberos for authentication, that is well documented. -- Adam Tauno Williams, Network & Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba to Kerberos via OpenLDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wes Modes, Look this howto about Kerberized OpenLDAP, Samba PDC and Squid: http://eduardosachs.org/mediawiki/index.php?title=Heimdal_Kerberos_%2B_Samba_PDC_%2B_OpenLDAP_%2B_Squid_no_Debian_Etch But, it's only portuguese :( []'s Wes Modes escreveu: > First, I'll just say this is a question principally about the arcane > mysteries of Samba to OpenLDAP authentication. > I've had Samba to OpenLDAP authentication running for a while now using > the samba.schema and the ldapsam module. Now I'd like to understand a > bit more about how that works in order to take it a step further and get > openLDAP to bind against a Kerberos database via SASL. > > An aside; Yes, I'd heard that Samba can be configured to authenticate > against Kerberos directly, but for my own reasons, I'd prefer that Samba > talk only to OpenLDAP, and OpenLDAP can do the authentication. I'll > fall back on the Samba to Kerberos direct route if I can't find a way to > do what I want. > > I've noted that the Samba schema and smbldap-tools add to the user > record two Samba specific password fields, sambaNTPassword and > sambaLMPassword. > If I have the ldapsam module specified as the passdb backend in > smb.conf, is OpenLDAP merely storing the samba passwords while Samba > does the password comparisons? Or does OpenLDAP do the authentication > and return a yes or no? > > Is it possible to have Samba defer authentication to OpenLDAP? If so, I > can have OpenLDAP use the {SASL} method to do authentication via kerberos. > > Wes > - -- Eduardo Sachs (51) 9262-3803 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH0ltmKB6+7l7CbHURAlb9AJ9J8DX8CeV9YLsRbIcCspP2oI3T3ACgqpQ4 KGpIQrpWdxbZaO4TvPXERVA= =6OOw -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba to Kerberos via OpenLDAP
On Fri, 2008-03-07 at 15:27 -0800, Wes Modes wrote: > Is it possible to have Samba defer authentication to OpenLDAP? No. -- Simo Sorce Samba Team GPL Compliance Officer <[EMAIL PROTECTED]> Senior Software Engineer at Red Hat Inc. <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba