[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How can i integrate KERBEROS/LDAP for Windows password-hashs ?



Hi,

I haven't tried this, but have you looked at the Kerberos for Windows (KfW)
package from MIT?

Tarjei

Harry Rüter wrote:
> 
> Hi people,
> 
> i'm using LDAP/CYRUS-SASL/KERBEROS
> for authentification of LINUX-users in my network
> (posixAccount).
> 
> I now wanna use this for sambaAccounts too, so that
> the Windows-users use kerberized authentification too.
> 
> I tried something like that (an example,anonymized ..) :
> (My REALM here is XY.AB)
> ---snipp---
> 
> dn: uid=xy,...,dc=xy,dc=xy
> logonTime: 0
> displayName: admin
> lmPassword: {KERBEROS}admin/lmpw@XY.AB
> objectClass: sambaAccount
> objectClass: posixAccount
> primaryGroupID: 512
> acctFlags: [UX         ]
> userPassword:: {KERBEROS}admin@XY.AB
> uid: admin
> uidNumber: 1234
> cn: admi
> logoffTime: 2147483647
> gidNumber: 100
> kickoffTime: 2147483647
> pwdLastSet: 1018479812
> rid: 544
> homeDirectory: /home/admin
> pwdCanChange: 0
> pwdMustChange: 2147483647
> ntPassword: {KERBEROS}admin@XY.AB
> 
> ---snipp---
> 
> You see, i just tried to change the hashs for
> ntPassword/lmPassword
> into the kerberized schema. I made two new principals
> for the Win-pw-hashs that shall hold
> the passwords in future.
> 
> This didn't work, although i used the original
> hashs as password.
> 
> I think i made a mistake doing it this way,
> does anybody have any suggestions how to do it ?
> 
> I have also a problem to include kpasswd into a script,
> as it isn't possible to automize the password inputs.
> 
> I tried to build a script,
> here's an example for admin/lmpw@XY.AB :
> 
> ---snipp---
> 
> #!/bin/sh
> 
> ./kpasswd admin/lmpw  << EOF
> passphrase
> AAD3B435B51404EEAAD3B435B51404EE
> AAD3B435B51404EEAAD3B435B51404EE
> EOF
> 
> ---snipp---
> 
> You see, the original hash from Windows shall be the new
> password.
> 
> But it doesn't work, as the output of it shows :
> 
> ---snipp---
> 
> 486dx66:/usr/local/kerberos/bin # ./mk
> Password for admin/lmpw:
> ./kpasswd: Inappropriate ioctl for device while reading
> password
> 486dx66:/usr/local/kerberos/bin #
> 
> ---snipp---
> 
> The program doesn't accept the way i wanna fill it with
> information
> from stdin, too bad.
> 
> I will work on it , because i wanna have a solution
> for my network, which should be a single-signon for
> Win/LINUX-users using KERBEROS.
> 
> It would be fine if someone had time for an answer
> which gives me hints how to work on.
> 
> Greetings from germany
> 
> Harry
> 
> PS: I used LDAPv3-HOWTO.html from Turbo Fredrikson
>     ( http://www.bayour.com ) as guide how to work
>     with  LDAP/KERBEROS/SASL.
>     I just can recommend it to everyone.