I've noticed quite a few people on this list asking for a way of
logging their users onto a SAMBA server using Kerberos. We've done
this by writing a GINA for NT and a network provider wrapper for
Win95.
The GINA and NP wrapper also allow us to manage some of the account
features for the users logging in.
When the user authenticates to NT or 95, they do so using their
Kerberos identity. The GINA or NP wrapper then calls what we call
the Pseudo Domain server, which is running along side of SAMBA on the
server box. The PD server authenticates the user using Kerberos and
then looks up their "user record" which is a variant on the MS
USER_INFO_3 struct.
Using the private message functions to encrypt the network traffic,
the client can request the appropriate information to set up the
account and also request the password to logon to SAMBA.
Once the local account has been created. The GINA/NP wrapper drops
the password they received into the normal MS logon sequence. The
client then does the normal logon to SAMBA (which has been modified to
look for password in our user records).
We also have an additional step to authenticate our users to their
AFS space.
Since our users never need to know their passwords for the SAMBA
server we don't have to keep them synched with any other password
database and can regularly change them on each server.
The modified SAMBA source, Pseudo Domain server, and the binaries
for Windows 95/NT, may be found at this URL:
ftp://terminator.rs.itd.umich.edu/win/KSamba
There is some very crude instructions on how to set everything up,
and the Windows pieces use Kerberos 95.
(ftp://terminator.rs.itd.umich.edu/win/Kerb95/readme.txt).
Also included with this is a shell extension for 95/NT4.0 that will
talk to a named pipe we added to SAMBA to allow you to view/set UNIX
and AFS permissions.
--Allan Bjorklund
allan@umich.edu