[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Samba authentication to Kerberos via OpenLDAP, third and last try



On Thu, 2008-04-03 at 14:02 -0700, Howard Chu wrote:
> 
> Wes Modes wrote:
> > The question and the challenge: Any leads on how I might convince Samba
> > to pass the input password on to OpenLDAP so that OpenLDAP can
> > authenticate it against Kerberos?
> 
> Sounds like you're asking how to configure Samba. Try a Samba mailing list.
> 
> As an initial hint - Windows clients authenticating to Samba will generally 
> have one of two choices - NTLM or Kerberos authentication. For NTLM, the Samba 
> server needs either the plaintext password or the hashed equivalent (e.g., the 
> value typically stored in sambaNTpassword if Samba is using LDAP for password 
> storage). Clearly if your authentication database resides only in a Kerberos 
> KDC, then this option is unavailable to you.

Indeed, the flawed assumption here appears to be that Samba has some
kind of password to pass on.  NTLM is a challenge-response system, so
arbitrarily passing the password on to anything that is not an NTLM
server is simply not possible. 

> Since that leaves Kerberos as your only choice, you should realize that 
> passwords are never sent between a client and a server when Kerberos 
> authentication is being used. So, there is no password for Samba to pass to 
> the LDAP server.
> 
> So, the short answer to your ill-thought out question: it can't be done.

This is correct.  Getting windows clients to use Kerberos (outside of an
AD setup) is the challenge, and is beyond the scope of expertise on this
list. 

If the KDC is an AD server, are your windows clients part of that AD
domain?  Then please look at the very standard ways this is handled.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

Attachment: signature.asc
Description: This is a digitally signed message part