samba - Jan 2006 - MIT KDC for Samba authentication?

Hi Samba Users,

I have Samba providing shares to several XP clients. The clients
currently authenticate using private/smbpasswd. I do not have an Active
Directory server nor any Windows servers.

I also have an MIT KDC. Various services have been Kerberised including
SSH (proper GSSAPI negotiation) and Apache (Basic auth). This is all
functioning correctly. The Apache login and SSH logins from the XP
clients obviously are not SSO. 

I want the Samba software to use Kerberos authentication as well.
However it won't be possible for the XP clients to contact the KDC so
the Samba server will need to receive the username/password in plaintext
and contact the KDC. I appreciate that this won't be SSO and I also
appreciate that it's not the proper way to do things. I simply want to
replace private/smbpasswd with the KDC to avoid duplicating the
username/passwords.

I have followed these instructions from the mail archives.

  http://lists.samba.org/archive/samba-technical/2005-March/040065.html

I have placed the following into the global section of smb.conf

  security = ads
  realm = MYDOMAIN.COM.AU
  encrypt passwords = yes
  use kerberos keytab = yes
  password server = mykdc.mydomain.com.au

I have also created a principal
cifs/smbserver.mydomain.com.au@MYDOMAIN.COM.AU and placed that into
/etc/krb5/krb5.keytab on smbserver. That is the location used by the MIT
libraries; I have Apache keys in there that are used by mod_auth_kerb.

When I try to connect using smbclient, entering my Kerberos password
when prompted.

  smbclient //1.2.3.4/sharename -U nathanh -W MYDOMAIN.COM.AU -d 4

I get the following error message in log.smbd.

  [2006/01/18 14:13:58, 2] auth/auth.c:check_ntlm_password(317)
  check_ntlm_password:  Authentication for user [nathanh] -> [nathanh]
FAILED with error NT_STATUS_NO_LOGON_SERVERS

Is what I'm trying to do a supported configuration? The documentation
typically refers to using an existing Win2k or Win2k3 ADS server but I
have neither of those. The documentation also suggests creating an ADS
DC with Samba. That's no good to me because the XP clients won't
(can't)
have IP connectivity to the KDC. I just want the Samba server to use the
KDC for the verification of the username/password pairs rather than
checking the private/smbpasswd file.

Possible? Impossible? Are the NTLM encrypted passwords from the XP
client going to trip me up here? I can possibly change registry keys on
the XP clients to emit plaintext, if that's the only way this is going
to work.

Thanks in advance for any help.

Notice:
The information contained in this e-mail message and any attached files may
be confidential information, and may also be the subject of legal
professional privilege.  If you are not the intended recipient any use,
disclosure or copying of this e-mail is unauthorised.  If you have received
this e-mail in error, please notify the sender immediately by reply e-mail
and delete all copies of this transmission together with any attachments.

On Wed, 2006-01-18 at 14:47 +1100, HAND,Nathan wrote:
> Hi Samba Users,
> 
> I have Samba providing shares to several XP clients. The clients
> currently authenticate using private/smbpasswd. I do not have an Active
> Directory server nor any Windows servers.
> 
> I also have an MIT KDC. Various services have been Kerberised including
> SSH (proper GSSAPI negotiation) and Apache (Basic auth). This is all
> functioning correctly. The Apache login and SSH logins from the XP
> clients obviously are not SSO. 
> 
> I want the Samba software to use Kerberos authentication as well.
> However it won't be possible for the XP clients to contact the KDC so
> the Samba server will need to receive the username/password in plaintext
> and contact the KDC. I appreciate that this won't be SSO and I also
> appreciate that it's not the proper way to do things. I simply want to
> replace private/smbpasswd with the KDC to avoid duplicating the
> username/passwords.
So you want to trade security for password sync?
> I have followed these instructions from the mail archives.
> 
>   http://lists.samba.org/archive/samba-technical/2005-March/040065.html
> 
> I have placed the following into the global section of smb.conf
> 
>   security = ads
You can only use this if you have an ADS server.  Try security=user for
a start.
>   realm = MYDOMAIN.COM.AU
>   encrypt passwords = yes
>   use kerberos keytab = yes
>   password server = mykdc.mydomain.com.au
This option doesn't refer to a KDC.
> I have also created a principal
> cifs/smbserver.mydomain.com.au@MYDOMAIN.COM.AU and placed that into
> /etc/krb5/krb5.keytab on smbserver. That is the location used by the MIT
> libraries; I have Apache keys in there that are used by mod_auth_kerb.
> 
> When I try to connect using smbclient, entering my Kerberos password
> when prompted.
> 
>   smbclient //1.2.3.4/sharename -U nathanh -W MYDOMAIN.COM.AU -d 4
> 
> I get the following error message in log.smbd.
> 
>   [2006/01/18 14:13:58, 2] auth/auth.c:check_ntlm_password(317)
>   check_ntlm_password:  Authentication for user [nathanh] -> [nathanh]
> FAILED with error NT_STATUS_NO_LOGON_SERVERS
You need to kinit first, and then use the -k option. 
> Is what I'm trying to do a supported configuration? The documentation
> typically refers to using an existing Win2k or Win2k3 ADS server but I
> have neither of those. The documentation also suggests creating an ADS
> DC with Samba. 
This is Samba4, which isn't in a production release yet.
> That's no good to me because the XP clients won't (can't)
> have IP connectivity to the KDC. 
Why not?
> I just want the Samba server to use the
> KDC for the verification of the username/password pairs rather than
> checking the private/smbpasswd file.
> 
> Possible? Impossible? Are the NTLM encrypted passwords from the XP
> client going to trip me up here? I can possibly change registry keys on
> the XP clients to emit plaintext, if that's the only way this is going
> to work.
That is certainly the only way this could possibly work, if you cannot
talk kerberos between the XP machines and the KDC.  Look into pam_krb5
for a possible plaintext solution, but it really isn't a good idea...

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20060118/80c48666/attachment.bin