So like at least a handful of people before me I have begun the valiant stugle to unify logins at my place of business. I have setup a test LDAP + Kerberos V cluster. And I have Setup a test Samba 3 PDC. What I would like to do is get Samba to handle kerberos ticket granting and authentication to the (LDAP + Kerberos V) Directory. Such that Windows is completely unaware of the existence of Kerberos. And, also such that I don't have to keep samba domain passwords in ldap and sync them to kerberos in some sort of bizarre otherworldly failure in authentication unification. (Pardon my attempts at prose I am working on 3 hours of sleep) The question is really one of what you might suggest in terms of a design, particularly if you have tried and/or done this in the past. I have heard at least with samba 2 what I am trying is impossible. Not sure with Samba 3. I am wondering if the Active Directory support can be employed to my benefit in this manner. Now, assuming the worst and samba is incapable of handling kerberos tickets, and assuming i manage to handle tickets in ldap itself.... I can authenticate LDAP Sambe users of Kerberos without having to keep a synced password db correct? -Matt
Matt Joyce ?rta:> So like at least a handful of people before me I have begun the > valiant stugle to unify logins at my place of business. > > I have setup a test LDAP + Kerberos V cluster. > > And I have Setup a test Samba 3 PDC. > > What I would like to do is get Samba to handle kerberos ticket > granting and authentication to the (LDAP + Kerberos V) Directory. > Such that Windows is completely unaware of the existence of Kerberos. > And, also such that I don't have to keep samba domain passwords in > ldap and sync them to kerberos in some sort of bizarre otherworldly > failure in authentication unification. > > (Pardon my attempts at prose I am working on 3 hours of sleep) > > The question is really one of what you might suggest in terms of a > design, particularly if you have tried and/or done this in the past. > > I have heard at least with samba 2 what I am trying is impossible. > Not sure with Samba 3. I am wondering if the Active Directory support > can be employed to my benefit in this manner. >You can read more about it at: https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap> Now, assuming the worst and samba is incapable of handling kerberos > tickets, and assuming i manage to handle tickets in ldap itself.... I > can authenticate LDAP Sambe users of Kerberos without having to keep a > synced password db correct? > > -MattCheers Geza
Matt Joyce ?rta:> G?mes G?za wrote: > >> Matt Joyce ?rta: >> >>> So like at least a handful of people before me I have begun the >>> valiant stugle to unify logins at my place of business. >>> >>> I have setup a test LDAP + Kerberos V cluster. >>> >>> And I have Setup a test Samba 3 PDC. >>> >>> What I would like to do is get Samba to handle kerberos ticket >>> granting and authentication to the (LDAP + Kerberos V) Directory. >>> Such that Windows is completely unaware of the existence of >>> Kerberos. And, also such that I don't have to keep samba domain >>> passwords in ldap and sync them to kerberos in some sort of bizarre >>> otherworldly failure in authentication unification. >>> >>> (Pardon my attempts at prose I am working on 3 hours of sleep) >>> >>> The question is really one of what you might suggest in terms of a >>> design, particularly if you have tried and/or done this in the past. >>> >>> I have heard at least with samba 2 what I am trying is impossible. >>> Not sure with Samba 3. I am wondering if the Active Directory >>> support can be employed to my benefit in this manner. >>> >> >> You can read more about it at: >> https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap >> >> >>> Now, assuming the worst and samba is incapable of handling kerberos >>> tickets, and assuming i manage to handle tickets in ldap itself.... >>> I can authenticate LDAP Sambe users of Kerberos without having to >>> keep a synced password db correct? >>> >>> -Matt >> >> >> >> Cheers >> >> Geza >> > yeah thats almost decent documentation for ldap + kerberos but says > absolutley nothing about samba 3. > >That's very easy to explain, because if you follow it you will have your kerberos using the Samba' MD4 password hash, and so all of your *nix and windows machine will use the same password. However as Samba3 is able to emulte an NT4 DC, Windows clients don't try, nor are succesfull in using kerberos against it. So you can have something like in the following ASCII graphic: _______________ _______________ ______________ | | | | | | | |---------------------------->| LDAP |<----------------------------------| Samba | | | |_______________| |______________| | *nix | ^ ^ | client | _______|_______ ______ |_______ | | | | | | | |---------------------------->| Heimdal | | Windows | |______________| |______________| | client | |______________| Hope this helps to clarify the situation in a pre-Samba4 world. Cheers, Geza