Yongjun Rong
2002-Oct-31 20:30 UTC
[Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)
Hi, Andrew, Thank you very much for your answer. Now our case is as below: 1, our client machine is the windows 2000 2, We want our Kerberos run in the Unix box. 3, We also want the samba as PDC for all windows user and machine. 4, We want integrate the Kerberos Authentication with samba authentication. So in this situation, can we get the kerberos login from the windows 2000 client because the windows 2000 is support kerberos authenctication. If it can, where can I start? I have already setup the environment for windows 2000 client auhtenticating himself to the Kerberos Realm in the Solaris and authenticate the samba domain user to the local windows 2k machine. But this two cases are seperated from each other which means the kerberos authentication use the kerberos password and samba PDC authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the kerberos user to the local or samba domain user and then do the authentication to the kerberos. So we really want is, when we do the samba PDC authentication we can use the kerberos password. I don't know if it right. PLS correct me . Thank you very much. John ---- Original Message ---- From: Andrew Bartlett Date: Mon 10/28/02 17:24 To: Yongjun Rong Cc: abartlet@samba.org Subject: Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS) Yongjun Rong wrote:> > Hi, Andrew, > This is John from Texas Tech University.I have read your reply about samba and > kerberos. May I ask you some question about samba and Kerberos. > 1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris) > as the authentication services and store samba user and passwd in the kerberos > database directly but not using OpenLDAP?If you can get the clients to send you a kerberos login without using ADS, then the modification is realitivly simple, and is part of the work towards an Active Directory replacement.> 2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS. > Where can start to change the source to enable the support for MIT or SEAM in > solaris? How can I do it? I have download the source of samba3.0alpha20. And I also > have configure the samba as a PDC for my win2k client.You can't do PDC stuff with this kind of setup, not until we get a *lot* more Active Directory work done.> 3, You said that samba should support the MIT kerberos. But not at this moment. > Did it support keberos in the older version or not? which version? If it was not > support. I wish I can do something for it. > Thank you very much for your help. > John.In a very old version, we used the host keytab. Now we use our own secrets.tdb file, which we maintain. This is becouse in an ADS environment, we need to do both NT authentication and Kerberos. Please put questions to the list, so that others may see the replies. CC me if you want me to actually read it however :-) Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
Yura Pismerov
2002-Nov-01 00:39 UTC
[Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)
Here what you could use: LDAP with Kerberos password backend. Samba 2.2.6 PDC with LDAP backend. Windows passwords are stored in LDAP in samba object, not in Kerberos KDC since they use incompatible encryption methods. Use Kerberos passwords as primary source and synchronize Windows passwords with them when user changes his password or administrator reset it. This setup will allow to use the same password across the board for Unix shell access and email (via pam_ldap, nss_ldap and pam_krb5) and for Windows access (via Samba PDC), and the same name space will be used everywhere (via LDAP), so no mapping needed. Of course it will require quite a few scripts to synchronize passwords, create users in LDAP and Kerberos, etc. But it works... Yongjun Rong wrote:> > Hi, Andrew, > Thank you very much for your answer. > Now our case is as below: > 1, our client machine is the windows 2000 > 2, We want our Kerberos run in the Unix box. > 3, We also want the samba as PDC for all windows user and machine. > 4, We want integrate the Kerberos Authentication with samba authentication. > So in this situation, can we get the kerberos login from the windows 2000 client > because the windows 2000 is support kerberos authenctication. If it can, where can I > start? > I have already setup the environment for windows 2000 client auhtenticating > himself to the Kerberos Realm in the Solaris and authenticate the samba domain user > to the local windows 2k machine. But this two cases are seperated from each other > which means the kerberos authentication use the kerberos password and samba PDC > authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the > kerberos user to the local or samba domain user and then do the authentication to > the kerberos. So we really want is, when we do the samba PDC authentication we can > use the kerberos password. I don't know if it right. PLS correct me . > Thank you very much. > John > > ---- Original Message ---- > From: Andrew Bartlett > Date: Mon 10/28/02 17:24 > To: Yongjun Rong > Cc: abartlet@samba.org > Subject: Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS) > > Yongjun Rong wrote: > > > > Hi, Andrew, > > This is John from Texas Tech University.I have read your reply about samba and > > kerberos. May I ask you some question about samba and Kerberos. > > 1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris) > > as the authentication services and store samba user and passwd in the kerberos > > database directly but not using OpenLDAP? > > If you can get the clients to send you a kerberos login without using > ADS, then the modification is realitivly simple, and is part of the work > towards an Active Directory replacement. > > > 2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS. > > Where can start to change the source to enable the support for MIT or SEAM in > > solaris? How can I do it? I have download the source of samba3.0alpha20. And I also > > have configure the samba as a PDC for my win2k client. > > You can't do PDC stuff with this kind of setup, not until we get a *lot* > more Active Directory work done. > > > 3, You said that samba should support the MIT kerberos. But not at this moment. > > Did it support keberos in the older version or not? which version? If it was not > > support. I wish I can do something for it. > > Thank you very much for your help. > > John. > > In a very old version, we used the host keytab. Now we use our own > secrets.tdb file, which we maintain. This is becouse in an ADS > environment, we need to do both NT authentication and Kerberos. > > Please put questions to the list, so that others may see the replies. > CC me if you want me to actually read it however :-) > > Andrew Bartlett > > -- > Andrew Bartlett abartlet@pcug.org.au > Manager, Authentication Subsystems, Samba Team abartlet@samba.org > Student Network Administrator, Hawker College abartlet@hawkerc.net > http://samba.org http://build.samba.org http://hawkerc.net > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba
Donald Saltarelli
2002-Nov-01 23:56 UTC
[Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)
Yongjun- Right now, you cannot get Samba to authenticate the user using the kerberos credentials he gets when logging in to the Kerberos Realm on the workstation. What you can do: 1. Run MIT kerberos 5 on UNIX. 2. Setup pam_krb5 in Solaris to authenticate off of the UNIX kdc. (We use the one supplied with Solaris 8. We couldn't get the Solaris 9 one to work, however. You could always replace it with the open source stuff though.) 3. Setup a Windows 2000 AD domain. Mixed or Native mode shouldn't matter. 4. Create an account/password for the AD server in the UNIX kerberos domain and trust the UNIX kerberos realm from AD with it. 5. Create accounts in AD that match the ones in the UNIX kdc and whatever you're using for passwd/group/shadow (nis, nss_ldap, etc.) with the 'username mapping' set to the username@KERBEROSREALM. The passwords can be randomized. If you need it, I have a vbscript for creating the accounts to help automate this. We're using NIS with no passwords in NIS except for the usual administrative ones since we don't control the kerberos domain here. 6. Setup Samba 2.2.6 --with-pam and in User mode. Samba will authenticate off of kerberos through pam. 7. Setup the Windows 2000 workstations via a group policy object or with a registry editor to Enable "Send clear-text passwords to thrid-party SMB servers". 8. On the Windows 2000 workstations run 'ksetup.exe /addkdc REALMNAME fqdn.of.your.server'. ksetup is in the Windows 2000 resource kit. That'll work. *** However, in this configuration, you cannot get drives mapped to shares on the Samba server without the user typing in the password interactively.*** You'll need to create a script for the users to use for this purpose. ('net use U: \\server\%username% /persistent:no') Hopefully by 3.0 release the kerberos authentication will work in this setup and drive mapping can be done automatically and we can do things like Folder Redirection to samba shares! Additional cool things would involve editing the resources in the MSGINA.DLL to add some more explanatory info for users so that they know to login to the '(Kerberos Realm)' and not the local workstation or AD domain. Donald Saltarelli On Thu, 2002-10-31 at 12:28, Yongjun Rong wrote:> Hi, Andrew, > Thank you very much for your answer. > Now our case is as below: > 1, our client machine is the windows 2000 > 2, We want our Kerberos run in the Unix box. > 3, We also want the samba as PDC for all windows user and machine. > 4, We want integrate the Kerberos Authentication with samba authentication. > So in this situation, can we get the kerberos login from the windows 2000 client > because the windows 2000 is support kerberos authenctication. If it can, where can I > start? > I have already setup the environment for windows 2000 client auhtenticating > himself to the Kerberos Realm in the Solaris and authenticate the samba domain user > to the local windows 2k machine. But this two cases are seperated from each other > which means the kerberos authentication use the kerberos password and samba PDC > authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the > kerberos user to the local or samba domain user and then do the authentication to > the kerberos. So we really want is, when we do the samba PDC authentication we can > use the kerberos password. I don't know if it right. PLS correct me . > Thank you very much. > John > > ---- Original Message ---- > From: Andrew Bartlett > Date: Mon 10/28/02 17:24 > To: Yongjun Rong > Cc: abartlet@samba.org > Subject: Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS) > > Yongjun Rong wrote: > > > > Hi, Andrew, > > This is John from Texas Tech University.I have read your reply about samba and > > kerberos. May I ask you some question about samba and Kerberos. > > 1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris) > > as the authentication services and store samba user and passwd in the kerberos > > database directly but not using OpenLDAP? > > If you can get the clients to send you a kerberos login without using > ADS, then the modification is realitivly simple, and is part of the work > towards an Active Directory replacement. > > > 2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS. > > Where can start to change the source to enable the support for MIT or SEAM in > > solaris? How can I do it? I have download the source of samba3.0alpha20. And I also > > have configure the samba as a PDC for my win2k client. > > You can't do PDC stuff with this kind of setup, not until we get a *lot* > more Active Directory work done. > > > 3, You said that samba should support the MIT kerberos. But not at this moment. > > Did it support keberos in the older version or not? which version? If it was not > > support. I wish I can do something for it. > > Thank you very much for your help. > > John. > > In a very old version, we used the host keytab. Now we use our own > secrets.tdb file, which we maintain. This is becouse in an ADS > environment, we need to do both NT authentication and Kerberos. > > Please put questions to the list, so that others may see the replies. > CC me if you want me to actually read it however :-) > > Andrew Bartlett > > -- > Andrew Bartlett abartlet@pcug.org.au > Manager, Authentication Subsystems, Samba Team abartlet@samba.org > Student Network Administrator, Hawker College abartlet@hawkerc.net > http://samba.org http://build.samba.org http://hawkerc.net > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
Seemingly Similar Threads
- Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)
- Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)
- Re: Samba PDC and Kerberos(MIT or SEAM in Uinx,without microsoft ADS)
- Re: Samba and Kerberos PDC(MIT or SEAM, without microsoft ADS)
- Samba 3, Win2K, and MIT KDC -- possible?