José Ildefonso Camargo Tolosa
2004-Apr-14 14:51 UTC
[Samba] OpenLDAP,heimdal kerberos,sasl, wich order?
Hi! I have been reading for about two weeks (maybe I'm reading on the wrong places). I have found as many documents as one could expect describind how to build a LDAPv3 server, or how to build samba with ldap. This far, I have failed, and have a BIG confution in the order in wich the things should go: In one document, they recommend this: samba -> ldap -> sasl -> kerberos (so, the passwords gets stored in the kerberos database, at least that's what they says, but..... does the samba schema do this in fact? does the samba passwords will be kept in the kerberos database?, or it just store the passwords in the ldap's database). In other (simplier): samba -> ldap and: kerberos -> ldap (thus, storing the kerberos passwords in the ldap (duh...)). All that I'm trying to do is to get a PDC with a directory service, but I need it to be secure (that's why I'm bothering with kerberos). Anyway, I would like to know: in wich order should I build the thing?: Build orders: 1. kerberos, next sasl, next ldap, next samba (configured for samba -> ldap -> sasl -> kerberos). 2. ldap, next samba (just samba -> ldap, without kerberos password storing). Also, If I use the option 1, should the windows clients use a kerberos client?, or they just login as usual. Has anybody tested something like this? My system: Hardware: + Athlon XP 1500+, 512Mb RAM (133). Software: + Slackware 9.1 (with kernel 2.6.5), and most recent upgrades of all packages. + OpenLDAP 2.2.8 + kerberos: MIT kerberos 1.3.2 (read somewhere that it has thread issues, I'm thinking to move to heimdal, any sujestions?), heimdal 0.6.1. + samba 3.0.2a + cyrus sasl 2.1.18 + berkley db 4.2.52 + open ssl 0.9.7d. Thanks in advance for your help, Sincerely, Ildefonso Camargo icamargo@merkurio.com.ve
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jos? Ildefonso Camargo Tolosa ?rta: | Hi! | | I have been reading for about two weeks (maybe I'm reading on the wrong | places). I have found as many documents as one could expect describind | how to build a LDAPv3 server, or how to build samba with ldap. This | far, I have failed, and have a BIG confution in the order in wich the | things should go: | | In one document, they recommend this: | | samba -> ldap -> sasl -> kerberos (so, the passwords gets stored in the | kerberos database, at least that's what they says, but..... does the | samba schema do this in fact? does the samba passwords will be kept in | the kerberos database?, or it just store the passwords in the ldap's | database). | | In other (simplier): | | samba -> ldap | and: | kerberos -> ldap (thus, storing the kerberos passwords in the ldap | (duh...)). | | All that I'm trying to do is to get a PDC with a directory service, but | I need it to be secure (that's why I'm bothering with kerberos). | Anyway, I would like to know: in wich order should I build the thing?: | | Build orders: | | 1. kerberos, next sasl, next ldap, next samba (configured for samba -> | ldap -> sasl -> kerberos). | 2. ldap, next samba (just samba -> ldap, without kerberos password | storing). | | Also, If I use the option 1, should the windows clients use a kerberos | client?, or they just login as usual. Has anybody tested something like | this? | | My system: | | Hardware: | + Athlon XP 1500+, 512Mb RAM (133). | | Software: | + Slackware 9.1 (with kernel 2.6.5), and most recent upgrades of all | packages. | + OpenLDAP 2.2.8 | + kerberos: MIT kerberos 1.3.2 (read somewhere that it has thread | issues, I'm thinking to move to heimdal, any sujestions?), heimdal 0.6.1. | + samba 3.0.2a | + cyrus sasl 2.1.18 | + berkley db 4.2.52 | + open ssl 0.9.7d. | | Thanks in advance for your help, | | Sincerely, | | Ildefonso Camargo | icamargo@merkurio.com.ve | If you have no *NIX clients, then you couldn't yet get any serious benefit from using Kerberos for Windows clients. So in this case I would suggest to build OpenSSL, OpenLDAP, and then Samba. Configure a certificate authority, if you don't want to use a commercially available one. Create certificates for your OpenLDAP server. Configure OpenLDAP. Configure nss_ldap and pam_ldap, to use TLS or SSL connections. Configure Samba, to connect using TLS or SSL to your LDAP server. In this way you can achieve the maximum security from the ldap+samba setup. Cheers Geza -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAfX9h/PxuIn+i1pIRApxzAJ9jOQgVFSwrjYtDxMsRpYYxqpljFACfe1y2 9h71XzzfzI9GHBvlEG535x4=BNeG -----END PGP SIGNATURE-----
Andrew Bartlett wrote:> On Thu, 2004-04-22 at 22:29, Dan Hill wrote: > >>Andrew Bartlett wrote: >> >>>On Thu, 2004-04-15 at 21:47, Diego Julian Remolina wrote: >>> >>> >>>>If you want to see the order on how to compile them and get them to work >>>>then look at: >>>> >>>>http://www.math.gatech.edu/~dijuremo/ldap/ >>>> >>>>If you have a Native Windows PDC and samba is acting as a secondary then >>>>you can have kerberos authentication against the windows PDC kerberos. >>>>This is done with a cross-realm authentication trick as I was told by >>>>Gerald Carter (one of the developers of samba). >>>>Samba 3 does not support kerberos auths without having a Windows PDC with >>>>Active Directory. If you do not have a native windows pdc then you need >>>>to authenticate against the passwords stored in tdbsam or ldapsam but not >>>>on kerberos. >>> >>> >>>See, this is the trick I've been talking about. Technially, Samba can >>>use kerberos without a windows DC, but there are some silly, (and some >>>not quite so silly) reasons why that's not an option right now. >>> >>>However, you can add Kerberos to your existing Samba LDAP server. That >>>is, if you run Heimdal 0.6.1 (or better still a snapshot) you can use >>>your sambaNTpassword as the type 23 encryption key, and have >>>linux/unix/OSX clients use kerberos. >>> >>>Andrew Bartlett >>> >>> >> >>Thanks for the link. >> >>Is it very difficult to add the Kerberos support after an LDAP Samba >>PDC/BDC setup has been configured and in production mode? > > > Samba won't know the difference - but the new Heimdal KDC however will > operate on exactly the same passwords! > > You could even do it on a read-only LDAP slave, if you don't intend to > change passwords (password changes are probably best done by Samba only > at this point). > > Andrew Bartlett >Firstly, sorry about not sending my above message to the list. I guess I hit reply rather than reply-all. Thanks. I will be giving Heimdel a try. ~Dan
On Fri, 2004-04-23 at 20:38, Adam Tauno Williams wrote:> > > http://www.math.gatech.edu/~dijuremo/ldap/ > > However, you can add Kerberos to your existing Samba LDAP server. That > > is, if you run Heimdal 0.6.1 (or better still a snapshot) you can use > > your sambaNTpassword as the type 23 encryption key, and have > > linux/unix/OSX clients use kerberos. > > Just curious is Heimdal will honor account flags like locked or > disabled?Yes. Not very well, but they are honoured. (I need to look into the mapping a bit more)> And does it update/use the password can/must change > attributes (for expiration, etc..)?Not at present. What I really want to see is the password policy stuff go into OpenLDAP, and have it set the values for all users. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040423/9039760b/attachment.bin