Hi.
I've built an afs cell, a kerberos kdc, an openldap server, all
kerberized. Now all linux clients can login on the cell using k5
authentication, finding informations about their home dirs with ldap.
Their home reside on the afs cell, which allows r/w access since it
releases a token from the k5 ticket. All macosx clients can login as
well... but what about windows? ^___^;;;
I've been sent here from a kerberos group, telling me samba could be
useful.
I'd like to avoid creating windows users on every windows client... and
I know I can set up an AD server, creating users on kerberos/afs/ldap
AND the same users on AD... quite long...
Is samba of any use? Can I grant tickets and tokens via samba, mapping
windows home directories on the afs home dir? This information can be
retrieved from openldap...
Any hint?
--
Sensei <mailto:senseiwa@tin.it>
<icqnum:241572242>
<msn-id:Sensei_Sen@hotmail.com>
A)bort, R)etry, I)nfluence with large hammer.
On Sat, Apr 10, 2004 at 12:09:49PM +0200, Sensei wrote:> Hi. > > I've built an afs cell, a kerberos kdc, an openldap server, all > kerberized. Now all linux clients can login on the cell using k5 > authentication, finding informations about their home dirs with ldap. > Their home reside on the afs cell, which allows r/w access since it > releases a token from the k5 ticket. All macosx clients can login as > well... but what about windows? ^___^;;; > > I've been sent here from a kerberos group, telling me samba could be > useful. > > I'd like to avoid creating windows users on every windows client... and > I know I can set up an AD server, creating users on kerberos/afs/ldap > AND the same users on AD... quite long... > > Is samba of any use? Can I grant tickets and tokens via samba, mapping > windows home directories on the afs home dir? This information can be > retrieved from openldap...Samba cannot use the kerberos tickets directly - not unless the KDC is Active Directory (for now). But it is possible for Samba to use the same password store. (For NTLM, but not kerberos passwords) What is your KDC? MIT or Heimdal? Are you using the Heimdal LDAP backend? If you are running Heimdal, what version? Could you run a current snapshot? While the work is still new, there is support in Heimdal to read Samba password entries in LDAP. There is also an OpenLDAP plugin to set both Samba and Kerberos passwords on password change. You would need to manually edit your LDAP database, to expose the passwords in 'Samba' format - potentially a dump and restore of the Heimdal entries might do it, if the sambaSamAccount objectClass was added, and you used a current snapshot. (The type 23 arcfour-hmac-md5 enctype is the Samba NT password) Andrew Bartlett
What I think you are trying to do is have a Samba file server be a member of a Kerbreros (MIT) realm outside of the use of Active Directory. In my experience, I have not been able to get this to work, since although samba seems to be able to use LDAP for user account information, it can't seem to be able to use an MIT based KDC authentication backend. To do this, you would need to be able to install a keytab file on your samba server so it would work with your KDC. I have not been able to figure out how to do this (although you can get it to work with an AD KDC). I would love to hear otherwise because we need this ability for our site as well. Aaron On Saturday, April 10, 2004, at 06:09AM, Sensei <senseiwa@tin.it> wrote:>Hi. > >I've built an afs cell, a kerberos kdc, an openldap server, all >kerberized. Now all linux clients can login on the cell using k5 >authentication, finding informations about their home dirs with ldap. >Their home reside on the afs cell, which allows r/w access since it >releases a token from the k5 ticket. All macosx clients can login as >well... but what about windows? ^___^;;; > >I've been sent here from a kerberos group, telling me samba could be >useful. > >I'd like to avoid creating windows users on every windows client... and >I know I can set up an AD server, creating users on kerberos/afs/ldap >AND the same users on AD... quite long... > >Is samba of any use? Can I grant tickets and tokens via samba, mapping >windows home directories on the afs home dir? This information can be >retrieved from openldap... > >Any hint? >-- >Sensei <mailto:senseiwa@tin.it> > <icqnum:241572242> > <msn-id:Sensei_Sen@hotmail.com> >A)bort, R)etry, I)nfluence with large hammer. > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: http://lists.samba.org/mailman/listinfo/samba > >
In reply to my own message, I do know that you can set up a trust between a UNIX (in our case) MIT Kerberos realm and AD so that your users can use thier UNIX Kerberos credentials to log into their machines and access standard kerberos services, but also use the services that require AD at the same time (without logging in again). The logic would follow that you could, then bind a samba server to the AD in this setup and then could use it from windows, even though you initially logged in with your UNIX Kerberos/LDAP identity. I have not been able to get *this* to work either, samba member server will bind to the AD, but when I try to log into it from a windows client that has both a TGT from our MIT KDC and our AD KDC (which trusts the MIT one) I get a variety of errors, none seeming all to consistent. Can anyone on the samba team comment as to wether a setup like this should work? In theory, i would expect it too... Aaron On Saturday, April 10, 2004, at 06:22PM, Aaron Rosenblum <arosenbl@mac.com> wrote:>What I think you are trying to do is have a Samba file server be a member of a Kerbreros (MIT) realm outside of the use of Active Directory. In my experience, I have not been able to get this to work, since although samba seems to be able to use LDAP for user account information, it can't seem to be able to use an MIT based KDC authentication backend. To do this, you would need to be able to install a keytab file on your samba server so it would work with your KDC. I have not been able to figure out how to do this (although you can get it to work with an AD KDC). I would love to hear otherwise because we need this ability for our site as well. > >Aaron > > >On Saturday, April 10, 2004, at 06:09AM, Sensei <senseiwa@tin.it> wrote: > >>Hi. >> >>I've built an afs cell, a kerberos kdc, an openldap server, all >>kerberized. Now all linux clients can login on the cell using k5 >>authentication, finding informations about their home dirs with ldap. >>Their home reside on the afs cell, which allows r/w access since it >>releases a token from the k5 ticket. All macosx clients can login as >>well... but what about windows? ^___^;;; >> >>I've been sent here from a kerberos group, telling me samba could be >>useful. >> >>I'd like to avoid creating windows users on every windows client... and >>I know I can set up an AD server, creating users on kerberos/afs/ldap >>AND the same users on AD... quite long... >> >>Is samba of any use? Can I grant tickets and tokens via samba, mapping >>windows home directories on the afs home dir? This information can be >>retrieved from openldap... >> >>Any hint? >>-- >>Sensei <mailto:senseiwa@tin.it> >> <icqnum:241572242> >> <msn-id:Sensei_Sen@hotmail.com> >>A)bort, R)etry, I)nfluence with large hammer. >> >> >>-- >>To unsubscribe from this list go to the following URL and read the >>instructions: http://lists.samba.org/mailman/listinfo/samba >> >> >-- >To unsubscribe from this list go to the following URL and read the >instructions: http://lists.samba.org/mailman/listinfo/samba > >