samba - Apr 2004 - OpenLDAP,heimdal kerberos,sasl, wich order?

Hi!

I have been reading for about two weeks (maybe I'm reading on the wrong 
places).  I have found as many documents as one could expect describind 
how to build a LDAPv3 server, or how to build samba with ldap.  This 
far, I have failed, and have a BIG confution in the order in wich the 
things should go:

In one document, they recommend this:

samba -> ldap -> sasl -> kerberos (so, the passwords gets stored in the
kerberos database, at least that's what they says, but..... does the 
samba schema do this in fact? does the samba passwords will be kept in 
the kerberos database?, or it just store the passwords in the ldap's 
database).

In other (simplier):

samba -> ldap
and:
kerberos -> ldap (thus, storing the kerberos passwords in the ldap 
(duh...)).

All that I'm trying to do is to get a PDC with a directory service, but 
I need it to be secure (that's why I'm bothering with kerberos).  
Anyway, I would like to know: in wich order should I build the thing?:

Build orders:

1. kerberos, next sasl, next ldap, next samba (configured for samba -> 
ldap -> sasl -> kerberos).
2. ldap, next samba (just samba -> ldap,  without kerberos password 
storing).

Also, If I use the option 1, should the windows clients use a kerberos 
client?, or they just login as usual.  Has anybody tested something like 
this?

My system:

Hardware:
+ Athlon XP 1500+, 512Mb RAM (133).

Software:
+ Slackware 9.1 (with kernel 2.6.5), and most recent upgrades of all 
packages.
+ OpenLDAP 2.2.8
+ kerberos: MIT kerberos 1.3.2 (read somewhere that it has thread 
issues, I'm thinking to move to heimdal, any sujestions?), heimdal 0.6.1.
+ samba 3.0.2a
+ cyrus sasl 2.1.18
+ berkley db 4.2.52
+ open ssl 0.9.7d.

Thanks in advance for your help,

Sincerely,

Ildefonso Camargo
icamargo@merkurio.com.ve

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jos? Ildefonso Camargo Tolosa ?rta:
| Hi!
|
| I have been reading for about two weeks (maybe I'm reading on the wrong
| places).  I have found as many documents as one could expect describind
| how to build a LDAPv3 server, or how to build samba with ldap.  This
| far, I have failed, and have a BIG confution in the order in wich the
| things should go:
|
| In one document, they recommend this:
|
| samba -> ldap -> sasl -> kerberos (so, the passwords gets stored in
the
| kerberos database, at least that's what they says, but..... does the
| samba schema do this in fact? does the samba passwords will be kept in
| the kerberos database?, or it just store the passwords in the ldap's
| database).
|
| In other (simplier):
|
| samba -> ldap
| and:
| kerberos -> ldap (thus, storing the kerberos passwords in the ldap
| (duh...)).
|
| All that I'm trying to do is to get a PDC with a directory service, but
| I need it to be secure (that's why I'm bothering with kerberos).
| Anyway, I would like to know: in wich order should I build the thing?:
|
| Build orders:
|
| 1. kerberos, next sasl, next ldap, next samba (configured for samba ->
| ldap -> sasl -> kerberos).
| 2. ldap, next samba (just samba -> ldap,  without kerberos password
| storing).
|
| Also, If I use the option 1, should the windows clients use a kerberos
| client?, or they just login as usual.  Has anybody tested something like
| this?
|
| My system:
|
| Hardware:
| + Athlon XP 1500+, 512Mb RAM (133).
|
| Software:
| + Slackware 9.1 (with kernel 2.6.5), and most recent upgrades of all
| packages.
| + OpenLDAP 2.2.8
| + kerberos: MIT kerberos 1.3.2 (read somewhere that it has thread
| issues, I'm thinking to move to heimdal, any sujestions?), heimdal 0.6.1.
| + samba 3.0.2a
| + cyrus sasl 2.1.18
| + berkley db 4.2.52
| + open ssl 0.9.7d.
|
| Thanks in advance for your help,
|
| Sincerely,
|
| Ildefonso Camargo
| icamargo@merkurio.com.ve
|
If you have no *NIX clients, then you couldn't yet get any serious
benefit from using Kerberos for Windows clients.
So in this case I would suggest to build OpenSSL, OpenLDAP, and then
Samba. Configure a certificate authority, if you don't want to use a
commercially available one. Create certificates for your OpenLDAP
server. Configure OpenLDAP. Configure nss_ldap and pam_ldap, to use TLS
or SSL connections. Configure Samba, to connect using TLS or SSL to your
LDAP server. In this way you can achieve the maximum security from the
ldap+samba setup.

Cheers

Geza
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAfX9h/PxuIn+i1pIRApxzAJ9jOQgVFSwrjYtDxMsRpYYxqpljFACfe1y2
9h71XzzfzI9GHBvlEG535x4=BNeG
-----END PGP SIGNATURE-----

Andrew Bartlett wrote:
> On Thu, 2004-04-22 at 22:29, Dan Hill wrote:
> 
>>Andrew Bartlett wrote:
>>
>>>On Thu, 2004-04-15 at 21:47, Diego Julian Remolina wrote:
>>>
>>>
>>>>If you want to see the order on how to compile them and get them
to work
>>>>then look at:
>>>>
>>>>http://www.math.gatech.edu/~dijuremo/ldap/
>>>>
>>>>If you have a Native Windows PDC and samba is acting as a
secondary then
>>>>you can have kerberos authentication against the windows PDC
kerberos.
>>>>This is done with a cross-realm authentication trick as I was
told by
>>>>Gerald Carter (one of the developers of samba).
>>>>Samba 3 does not support kerberos auths without having a Windows
PDC with
>>>>Active Directory.  If you do not have a native windows pdc then
you need
>>>>to authenticate against the passwords stored in tdbsam or
ldapsam but not
>>>>on kerberos.
>>>
>>>
>>>See, this is the trick I've been talking about.  Technially,
Samba can
>>>use kerberos without a windows DC, but there are some silly, (and
some
>>>not quite so silly) reasons why that's not an option right now.
>>>
>>>However, you can add Kerberos to your existing Samba LDAP server. 
That
>>>is, if you run Heimdal 0.6.1 (or better still a snapshot) you can
use
>>>your sambaNTpassword as the type 23 encryption key, and have
>>>linux/unix/OSX clients use kerberos.
>>>
>>>Andrew Bartlett
>>>
>>>
>>
>>Thanks for the link.
>>
>>Is it very difficult to add the Kerberos support after an LDAP Samba 
>>PDC/BDC setup has been configured and in production mode?
> 
> 
> Samba won't know the difference - but the new Heimdal KDC however will
> operate on exactly the same passwords!
> 
> You could even do it on a read-only LDAP slave, if you don't intend to
> change passwords (password changes are probably best done by Samba only
> at this point).
> 
> Andrew Bartlett
> 
Firstly, sorry about not sending my above message to the list.  I guess 
I hit reply rather than reply-all.

Thanks.  I will be giving Heimdel a try.

~Dan

On Fri, 2004-04-23 at 20:38, Adam Tauno Williams wrote:
> > > http://www.math.gatech.edu/~dijuremo/ldap/
> > However, you can add Kerberos to your existing Samba LDAP server. 
That
> > is, if you run Heimdal 0.6.1 (or better still a snapshot) you can use
> > your sambaNTpassword as the type 23 encryption key, and have
> > linux/unix/OSX clients use kerberos.
> 
> Just curious is Heimdal will honor account flags like locked or
> disabled?  
Yes.  Not very well, but they are honoured.  (I need to look into the
mapping a bit more)
> And does it update/use the password can/must change
> attributes (for expiration, etc..)?
Not at present.  What I really want to see is the password policy stuff
go into OpenLDAP, and have it set the values for all users.  

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20040423/9039760b/attachment.bin