samba - Oct 2002 - Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)

Hi, Andrew, 
   Thank you very much for your answer.
   Now our case is as below:
   1, our client machine is the windows 2000 
   2, We want our Kerberos run in the Unix box.
   3, We also want the samba as PDC for all windows user and machine.
   4, We want integrate the Kerberos Authentication with samba authentication.
   So in this situation, can we get the kerberos login from the windows 2000
client
because the windows 2000 is support kerberos authenctication. If it can, where
can I
start?
   I have already setup the environment for windows 2000 client auhtenticating 
himself to the Kerberos Realm in the Solaris and authenticate the samba domain
user
to the local windows 2k machine. But this two cases are seperated from each
other
which means the kerberos authentication use the kerberos password and samba PDC 
authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the 
kerberos user to the local or samba domain user and then do the authentication
to
the kerberos. So we really want is, when we do the samba PDC authentication we
can
use the kerberos password. I don't know if it right. PLS correct me .
  Thank you very much.
  John

---- Original Message ----
From:		Andrew Bartlett
Date:		Mon 10/28/02 17:24
To:		Yongjun Rong
Cc:		abartlet@samba.org
Subject:	Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS)

Yongjun Rong wrote:
> 
> Hi, Andrew,
>    This is John from Texas Tech University.I have read your reply about
samba and
> kerberos. May I ask you some question about samba and Kerberos.
>    1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in
Solaris)
> as the authentication services and store samba user and passwd in the
kerberos
> database directly but not using OpenLDAP?
If you can get the clients to send you a kerberos login without using
ADS, then the modification is realitivly simple, and is part of the work
towards an Active Directory replacement.
>    2, If it cannot, I know the samba has support the Kerberos with
Microsoft ADS.
> Where can start to change the source to enable the support for MIT or SEAM
in
> solaris? How can I do it? I have download the source of samba3.0alpha20.
And I also
> have configure the samba as a PDC for my win2k client.
You can't do PDC stuff with this kind of setup, not until we get a *lot*
more Active Directory work done.
>    3, You said that samba should support the MIT kerberos. But not at this
moment.
> Did it support keberos in the older version or not? which version? If it
was not
> support. I wish I can do something for it.
>    Thank you very much for your help.
>    John.
In a very old version, we used the host keytab.  Now we use our own
secrets.tdb file, which we maintain.  This is becouse in an ADS
environment, we need to do both NT authentication and Kerberos.

Please put questions to the list, so that others may see the replies. 
CC me if you want me to actually read it however :-)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

Here what you could use:

LDAP with Kerberos password backend.
Samba 2.2.6 PDC with LDAP backend.

Windows passwords are stored in LDAP in samba object, not in Kerberos
KDC since they use incompatible encryption methods.

Use Kerberos passwords as primary source and synchronize Windows
passwords with them when user changes his password or administrator
reset it.

This setup will allow to use the same password across the board for Unix
shell access and email (via pam_ldap, nss_ldap and pam_krb5) and for
Windows access (via Samba PDC), and the same name space will be used
everywhere (via LDAP), so no mapping needed.

Of course it will require quite a few scripts to synchronize passwords,
create users in LDAP and Kerberos, etc. But it works...

	

Yongjun Rong wrote:
> 
> Hi, Andrew,
>    Thank you very much for your answer.
>    Now our case is as below:
>    1, our client machine is the windows 2000
>    2, We want our Kerberos run in the Unix box.
>    3, We also want the samba as PDC for all windows user and machine.
>    4, We want integrate the Kerberos Authentication with samba
authentication.
>    So in this situation, can we get the kerberos login from the windows
2000 client
> because the windows 2000 is support kerberos authenctication. If it can,
where can I
> start?
>    I have already setup the environment for windows 2000 client
auhtenticating
> himself to the Kerberos Realm in the Solaris and authenticate the samba
domain user
> to the local windows 2k machine. But this two cases are seperated from each
other
> which means the kerberos authentication use the kerberos password and samba
PDC
> authentication use the smbpasswd. And I can also map(using Ksetup /mapuser)
the
> kerberos user to the local or samba domain user and then do the
authentication to
> the kerberos. So we really want is, when we do the samba PDC authentication
we can
> use the kerberos password. I don't know if it right. PLS correct me .
>   Thank you very much.
>   John
> 
> ---- Original Message ----
> From:           Andrew Bartlett
> Date:           Mon 10/28/02 17:24
> To:             Yongjun Rong
> Cc:             abartlet@samba.org
> Subject:        Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS)
> 
> Yongjun Rong wrote:
> >
> > Hi, Andrew,
> >    This is John from Texas Tech University.I have read your reply
about samba and
> > kerberos. May I ask you some question about samba and Kerberos.
> >    1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM
in Solaris)
> > as the authentication services and store samba user and passwd in the
kerberos
> > database directly but not using OpenLDAP?
> 
> If you can get the clients to send you a kerberos login without using
> ADS, then the modification is realitivly simple, and is part of the work
> towards an Active Directory replacement.
> 
> >    2, If it cannot, I know the samba has support the Kerberos with
Microsoft ADS.
> > Where can start to change the source to enable the support for MIT or
SEAM in
> > solaris? How can I do it? I have download the source of
samba3.0alpha20. And I also
> > have configure the samba as a PDC for my win2k client.
> 
> You can't do PDC stuff with this kind of setup, not until we get a
*lot*
> more Active Directory work done.
> 
> >    3, You said that samba should support the MIT kerberos. But not at
this moment.
> > Did it support keberos in the older version or not? which version? If
it was not
> > support. I wish I can do something for it.
> >    Thank you very much for your help.
> >    John.
> 
> In a very old version, we used the host keytab.  Now we use our own
> secrets.tdb file, which we maintain.  This is becouse in an ADS
> environment, we need to do both NT authentication and Kerberos.
> 
> Please put questions to the list, so that others may see the replies.
> CC me if you want me to actually read it however :-)
> 
> Andrew Bartlett
> 
> --
> Andrew Bartlett                                 abartlet@pcug.org.au
> Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
> Student Network Administrator, Hawker College   abartlet@hawkerc.net
> http://samba.org     http://build.samba.org     http://hawkerc.net
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

Yongjun-

Right now, you cannot get Samba to authenticate the user using the
kerberos credentials he gets when logging in to the Kerberos Realm on
the workstation. What you can do:

1. Run MIT kerberos 5 on UNIX.
2. Setup pam_krb5 in Solaris to authenticate off of the UNIX kdc. (We
use the one supplied with Solaris 8. We couldn't get the Solaris 9 one
to work, however. You could always replace it with the open source stuff
though.)
3. Setup a Windows 2000 AD domain. Mixed or Native mode shouldn't
matter.
4. Create an account/password for the AD server in the UNIX kerberos
domain and trust the UNIX kerberos realm from AD with it.
5. Create accounts in AD that match the ones in the UNIX kdc and
whatever you're using for passwd/group/shadow (nis, nss_ldap, etc.) with
the 'username mapping' set to the username@KERBEROSREALM. The passwords
can be randomized. If you need it, I have a vbscript for creating the
accounts to help automate this. We're using NIS with no passwords in NIS
except for the usual administrative ones since we don't control the
kerberos domain here.
6. Setup Samba 2.2.6 --with-pam and in User mode. Samba will
authenticate off of kerberos through pam.
7. Setup the Windows 2000 workstations via a group policy object or with
a registry editor to Enable "Send clear-text passwords to thrid-party
SMB servers".
8. On the Windows 2000 workstations run 'ksetup.exe /addkdc REALMNAME
fqdn.of.your.server'. ksetup is in the Windows 2000 resource kit.

That'll work.

*** However, in this configuration, you cannot get drives mapped to
shares on the Samba server without the user typing in the password
interactively.*** You'll need to create a script for the users to use
for this purpose. ('net use U: \\server\%username% /persistent:no')

Hopefully by 3.0 release the kerberos authentication will work in this
setup and drive mapping can be done automatically and we can do things
like Folder Redirection to samba shares!

Additional cool things would involve editing the resources in the
MSGINA.DLL to add some more explanatory info for users so that they know
to login to the '(Kerberos Realm)' and not the local workstation or AD
domain.

Donald Saltarelli

On Thu, 2002-10-31 at 12:28, Yongjun Rong wrote:
> Hi, Andrew, 
>    Thank you very much for your answer.
>    Now our case is as below:
>    1, our client machine is the windows 2000 
>    2, We want our Kerberos run in the Unix box.
>    3, We also want the samba as PDC for all windows user and machine.
>    4, We want integrate the Kerberos Authentication with samba
authentication.
>    So in this situation, can we get the kerberos login from the windows
2000 client
> because the windows 2000 is support kerberos authenctication. If it can,
where can I
> start?
>    I have already setup the environment for windows 2000 client
auhtenticating
> himself to the Kerberos Realm in the Solaris and authenticate the samba
domain user
> to the local windows 2k machine. But this two cases are seperated from each
other
> which means the kerberos authentication use the kerberos password and samba
PDC
> authentication use the smbpasswd. And I can also map(using Ksetup /mapuser)
the
> kerberos user to the local or samba domain user and then do the
authentication to
> the kerberos. So we really want is, when we do the samba PDC authentication
we can
> use the kerberos password. I don't know if it right. PLS correct me .
>   Thank you very much.
>   John
> 
> ---- Original Message ----
> From:		Andrew Bartlett
> Date:		Mon 10/28/02 17:24
> To:		Yongjun Rong
> Cc:		abartlet@samba.org
> Subject:	Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS)
> 
> Yongjun Rong wrote:
> > 
> > Hi, Andrew,
> >    This is John from Texas Tech University.I have read your reply
about samba and
> > kerberos. May I ask you some question about samba and Kerberos.
> >    1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM
in Solaris)
> > as the authentication services and store samba user and passwd in the
kerberos
> > database directly but not using OpenLDAP?
> 
> If you can get the clients to send you a kerberos login without using
> ADS, then the modification is realitivly simple, and is part of the work
> towards an Active Directory replacement.
> 
> >    2, If it cannot, I know the samba has support the Kerberos with
Microsoft ADS.
> > Where can start to change the source to enable the support for MIT or
SEAM in
> > solaris? How can I do it? I have download the source of
samba3.0alpha20. And I also
> > have configure the samba as a PDC for my win2k client.
> 
> You can't do PDC stuff with this kind of setup, not until we get a
*lot*
> more Active Directory work done.
> 
> >    3, You said that samba should support the MIT kerberos. But not at
this moment.
> > Did it support keberos in the older version or not? which version? If
it was not
> > support. I wish I can do something for it.
> >    Thank you very much for your help.
> >    John.
> 
> In a very old version, we used the host keytab.  Now we use our own
> secrets.tdb file, which we maintain.  This is becouse in an ADS
> environment, we need to do both NT authentication and Kerberos.
> 
> Please put questions to the list, so that others may see the replies. 
> CC me if you want me to actually read it however :-)
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                 abartlet@pcug.org.au
> Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
> Student Network Administrator, Hawker College   abartlet@hawkerc.net
> http://samba.org     http://build.samba.org     http://hawkerc.net
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>