samba - Nov 2002 - Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)

A few more questions and comments... related to this topic

If Kerberos is the back-end to LDAP.. there is no need to synchronize or store a
password in the LDAP tree.. just the principal for the user in the userpassword
attribute: userpassword = {kerberos}name@domain

in the smb.conf file do I need stuff like this?
Unix password sync = yes
passwd program = /some-path/to-a/script-which/synchronize-kerb-smb %u

in this program "synchronize-kerb-smb"
%u is the username and comes in as an argument, then request the password and
read it in from STDIN.. ... then run a smbpasswd %u feeding the password.. and 
then get a valid user/admin ticket using kinit for an account validated by a
keytab .. then run kadmin.local -q 'cpw -pw $password $username' to
synchronize with Kerberos

this has the potential to work(I think)but... im missing a few parts.. can a
script like this synchronize passwords when they are forced to change their
password at the client level.. say expire the users password?  And what happens
if they change there password using kpassword.. that has the potential to
unsyncronize the passwords..

Also.. what about the adding machines trusts to the samba domain?.. I've
seen where people use the:
add user script = /some/adduserscript -n -g machines -c Machine -d /dev/null -s
/bin/false $m$

is there any way to change the LDAP suffix before adding a machine to the LDAP
tree?.. In my current setup I have all users in an ou=people area.. and so my
LDAP suffix = "ou=people, dc=domain".. but I don't want to add
machines to this container.. I would rather put them in something like
"ou=hosts, dc=domain"..
I have many more questions.... but don't want to change the topic too
much...


Jonathan Higgins
Network Service Specialist IV
jhiggins@kennesaw.edu

>>> Yura Pismerov <ypismerov@tucows.com> 10/31/02 07:38PM
>>>
Here what you could use:

LDAP with Kerberos password backend.
Samba 2.2.6 PDC with LDAP backend.

Windows passwords are stored in LDAP in samba object, not in Kerberos
KDC since they use incompatible encryption methods.

Use Kerberos passwords as primary source and synchronize Windows
passwords with them when user changes his password or administrator
reset it.

This setup will allow to use the same password across the board for Unix
shell access and email (via pam_ldap, nss_ldap and pam_krb5) and for
Windows access (via Samba PDC), and the same name space will be used
everywhere (via LDAP), so no mapping needed.

Of course it will require quite a few scripts to synchronize passwords,
create users in LDAP and Kerberos, etc. But it works...

	

Yongjun Rong wrote:
> 
> Hi, Andrew,
>    Thank you very much for your answer.
>    Now our case is as below:
>    1, our client machine is the windows 2000
>    2, We want our Kerberos run in the Unix box.
>    3, We also want the samba as PDC for all windows user and machine.
>    4, We want integrate the Kerberos Authentication with samba
authentication.
>    So in this situation, can we get the kerberos login from the windows
2000 client
> because the windows 2000 is support kerberos authenctication. If it can,
where can I
> start?
>    I have already setup the environment for windows 2000 client
auhtenticating
> himself to the Kerberos Realm in the Solaris and authenticate the samba
domain user
> to the local windows 2k machine. But this two cases are seperated from each
other
> which means the kerberos authentication use the kerberos password and samba
PDC
> authentication use the smbpasswd. And I can also map(using Ksetup /mapuser)
the
> kerberos user to the local or samba domain user and then do the
authentication to
> the kerberos. So we really want is, when we do the samba PDC authentication
we can
> use the kerberos password. I don't know if it right. PLS correct me .
>   Thank you very much.
>   John
> 
> ---- Original Message ----
> From:           Andrew Bartlett
> Date:           Mon 10/28/02 17:24
> To:             Yongjun Rong
> Cc:             abartlet@samba.org 
> Subject:        Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS)
> 
> Yongjun Rong wrote:
> >
> > Hi, Andrew,
> >    This is John from Texas Tech University.I have read your reply
about samba and
> > kerberos. May I ask you some question about samba and Kerberos.
> >    1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM
in Solaris)
> > as the authentication services and store samba user and passwd in the
kerberos
> > database directly but not using OpenLDAP?
> 
> If you can get the clients to send you a kerberos login without using
> ADS, then the modification is realitivly simple, and is part of the work
> towards an Active Directory replacement.
> 
> >    2, If it cannot, I know the samba has support the Kerberos with
Microsoft ADS.
> > Where can start to change the source to enable the support for MIT or
SEAM in
> > solaris? How can I do it? I have download the source of
samba3.0alpha20. And I also
> > have configure the samba as a PDC for my win2k client.
> 
> You can't do PDC stuff with this kind of setup, not until we get a
*lot*
> more Active Directory work done.
> 
> >    3, You said that samba should support the MIT kerberos. But not at
this moment.
> > Did it support keberos in the older version or not? which version? If
it was not
> > support. I wish I can do something for it.
> >    Thank you very much for your help.
> >    John.
> 
> In a very old version, we used the host keytab.  Now we use our own
> secrets.tdb file, which we maintain.  This is becouse in an ADS
> environment, we need to do both NT authentication and Kerberos.
> 
> Please put questions to the list, so that others may see the replies.
> CC me if you want me to actually read it however :-)
> 
> Andrew Bartlett
> 
> --
> Andrew Bartlett                                 abartlet@pcug.org.au 
> Manager, Authentication Subsystems, Samba Team  abartlet@samba.org 
> Student Network Administrator, Hawker College   abartlet@hawkerc.net 
> http://samba.org     http://build.samba.org     http://hawkerc.net 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba