Pieter Thysebaert
2004-Sep-27 13:27 UTC
[Samba] Newbie: SAMBA, LDAP, Kerberos as password Database
Hello people,
We are thinking of an infrastructure overhaul, and I have the following
question.
Currently, we use Samba to serve files to Windows 2000 and XP clients.
I am by no means a Windows/Samba expert, but from a user perspective it means
that one can
a. Map a network drive under Windows, specifying the correct username/password
pair
b. use smbmount under Linux to do the same thing.
As it is now, we have a Samba password database which is separated from our
unix password database (NIS)
This is where we might want to go:
1. We want to deploy MIT Kerberos 5, and we want the Kerberos password
database to be the ONLY password database.
2. User accounts: posixAccount+sambaAccounts in OpenLDAP.
3. configure openLDAP to recognize {SASL} passwords and authenticate through
Kerberos.
4. Block write access to all password fields in the OpenLDAP tree. (only
Kerberos password should be writable using the kpasswd tool)
My main question is: using Samba 3.x and ldap_sam, can one use password-based
authentication against the Kerberos password database by simply entering a
{SASL} type value in the sambaLMPassword and NTPassword fields in LDAP?
Pieter
pieter.thysebaert@ugent.be
2004-Sep-27 13:28 UTC
[Samba] Newbie: SAMBA, LDAP, Kerberos as password Database
Hello people,
We are thinking of an infrastructure overhaul, and I have the following
question.
Currently, we use Samba to serve files to Windows 2000 and XP clients.
I am by no means a Windows/Samba expert, but from a user perspective it means
that one can
a. Map a network drive under Windows, specifying the correct username/password
pair
b. use smbmount under Linux to do the same thing.
As it is now, we have a Samba password database which is separated from our
unix password database (NIS)
This is where we might want to go:
1. We want to deploy MIT Kerberos 5, and we want the Kerberos password
database to be the ONLY password database.
2. User accounts: posixAccount+sambaAccounts in OpenLDAP.
3. configure openLDAP to recognize {SASL} passwords and authenticate through
Kerberos.
4. Block write access to all password fields in the OpenLDAP tree. (only
Kerberos password should be writable using the kpasswd tool)
My main question is: using Samba 3.x and ldap_sam, can one use password-based
authentication against the Kerberos password database by simply entering a
{SASL} type value in the sambaLMPassword and NTPassword fields in LDAP?
Pieter
Adam Tauno Williams
2004-Sep-27 15:04 UTC
[Samba] Newbie: SAMBA, LDAP, Kerberos as password Database
> 1. We want to deploy MIT Kerberos 5, and we want the Kerberos password > database to be the ONLY password database.Use Hiemdal Kerberos and your KDC can use OpenLDAP as the back-end.> 2. User accounts: posixAccount+sambaAccounts in OpenLDAP. > 3. configure openLDAP to recognize {SASL} passwords and authenticate through > Kerberos.Works.> 4. Block write access to all password fields in the OpenLDAP tree. (only > Kerberos password should be writable using the kpasswd tool)And LDAP configuration issue, and a minor one at that.> My main question is: using Samba 3.x and ldap_sam, can one use > password-based > authentication against the Kerberos password database by simply entering a > {SASL} type value in the sambaLMPassword and NTPassword fields in LDAP?No, but the KDC can authenticate against the NTPassword field, or you can keep the passwords in sync.