I previosly sent this to samba-bugs, but this is probably a much more appropriate place... We are trying to use Samba on a central server here at Georgia Tech to allow printing to 50 printers scattered throughout residence halls all over campus. Over 6,000 residents would use this service. We have a WINS server that will allow them to access the print server, and all they have to do is select the proper printer and mount it. I know how to set samba up correctly. We are also going to put a shell script between Samba and lpr that will use Samba's "%u" variable to find out who is printing and bill accordingly... The only problem w/ this is that we would have to have an account on the machine for all 6K+ residents. This is not possible. We need to do authentication with the campus-wide Kerberos4 server instead. We are running Red Hat Linux 4.2 on the server, so I am also looking into the PAM approach. If we can get PAM to use the Kerberos server instead of /etc/passwd (for Samba auth requests at least), then it would work great. This is the most elegant solution, but I have had little luck, and the PAM people are less than helpful. So, do you guys know anybody who is using Kerberos4 authentication under Samba? Do you know a way to get Samba to directly use Kerberos? I can provide source to a program that will take a user name and password and check w/ the Kerberos server and return 0 or 1 accordingly. This is C source code, so you could possibly look into using it inside Samba... I am thinking about hacking Samba myself and replacing the normal authentication process w/ the Kerberos authentication function. I would first like to know if: 1) There is a better way to add Kerberos besides hacking Samba code. 2) you have any tips for me if I attempt to hack the code myself... 3) one of you could hack the code real quick for me ;) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Kirk Bauer -- Georgia Tech -- kirk@kaybee.org <== Finger for PGP http://www.kaybee.org/~kirk/html ResNet RTA
> > 1) There is a better way to add Kerberos besides hacking Samba code. > 2) you have any tips for me if I attempt to hack the code myself... > 3) one of you could hack the code real quick for me ;)Hmm... hack the code? I'm assuming you already know about this part of the Makefile: # This is for Kerberos 5 authentication. Contributed by Nathan Neulinger # Univ. of Missouri - Rolla <nneul@umr.edu> # KRB5_BASE = /usr/local/krb5 # KRB5_FLAGS = -DKRB5_AUTH -I$(KRB5_BASE)/include # KRB5_LIBS = -L$(KRB5_BASE)/lib -ldes425 -lkrb5 -lcrypto -lcom_err Granted, this is Kerberos 5, not Kerberos 4 which you said you need. I believe if you compile your Kerberos libraries with version 4 compatability, it should still work (though I'm not positive-- I've never tried that). Even if it didn't I'm sure the Kerberos 5 support would provide you with the necessary stubs to avoid any message code hacking. -john. ...................................................................... . . .....John.D.Blair... mailto:jdblair@uab.edu phoneto:205.975.7123 . . http://frodo.tucc.uab.edu faxto:205.975.7129 . ..sys|net.admin.... . . the university computer center ..... ..... g.e.e.k.n.i.k...the.university.of.alabama.at.birmingham....
>provide you with the necessary stubs to avoid any message code hacking.^^^^^^^ Hmm... I meant "avoid any messy code hacking." sigh... time for sleep. ...................................................................... . . .....John.D.Blair... mailto:jdblair@uab.edu phoneto:205.975.7123 . . http://frodo.tucc.uab.edu faxto:205.975.7129 . ..sys|net.admin.... . . the university computer center ..... ..... g.e.e.k.n.i.k...the.university.of.alabama.at.birmingham....
>I am thinking about hacking Samba myself and replacing the normal >authentication process w/ the Kerberos authentication function. I would >first like to know if: > > 1) There is a better way to add Kerberos besides hacking Samba code. > 2) you have any tips for me if I attempt to hack the code myself... > 3) one of you could hack the code real quick for me ;)I have done such a patch for Kerberos 4 and submitted it to samba-bugs. You'll find it at ftp://ftp.pdc.kth.se/pub/krb/contrib/ Note that the messing with the KRB5 flags in the Makefile is a misstake. Also note that applying sych a patch to samba will transmitt your passwords in clear text, destroing the Kerberos security. Johan /---------------------------------------------------------------------\ | Johan Hedin | johanh@fusion.kth.se | | Ph.D. Student and System Manager | http://www.fusion.kth.se/~johanh | \---------------------------------------------------------------------/